Skip to main content
mariano_lavia
mariano_lavia
New Member
December 23, 2025
Question

FortiClient VPN Android 7.4.3 not connecting to FortiGate after upgrading to 7.6.5

  • December 23, 2025
  • 1 reply
  • 815 views

All my Android clients running FortiClient VPN 7.4.3 (ipsec/ikev1 + psk + xauth connection type) are unable to connect to my FortiGate after upgrading it's OS from 7.6.4 to 7.6.5.

The client fails with "could not estabilish session on ipsec deamon" message.

 

Using "diag debug app ike -1", I can see that phase 1 is completed, user authenticated, tunnel is up (visible on firewall ipsec monitor, but 0 bytes), but phase 2 is never completed.

 

After "negotiation result" is ok and a few lines more, it says:

 

ike V=root:0:VPN-IPSEC_6: tunnel up event assigned address 10.201.109.168
ike V=root:0:VPN-IPSEC_6: EMS: FCT UID not ready

 

then the firewall starts a loop of "retransmission" (R-U-THERE/R-U-THERE-ACK), until the client quits.
Nothing was changed on the firewall except the OS update.
Testing with other clients (not FortiClient) everything works fine.
Any idea on the cause/solution?

1 reply

HarryTran
Staff
HarryTran
Staff
December 23, 2025

Hi @mariano_lavia ,

It may be due to DH5 running on the Android client while DH5 is unsupported on FOS v7.6.5.  I found some documents for Android VPN client, hope they are helpful for you.
1. https://docs.fortinet.com/document/forticlient/7.4.0/android-administration-guide/567000/ike-parameters
2. https://docs.fortinet.com/document/forticlient/6.0.0/android-user-guide/834699/creating-an-ipsec-vpn-connection
3. https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-tunnels-not-connecting-after-upgrade-to-v7-6/ta-p/423320

 

Regards,

Harry

    mariano_lavia
    mariano_laviaAuthor
    New Member
    December 23, 2025

    Hi Harry,

    is true that we had DH 5, 14 enabled on the server side, but only DH 14 is enabled on the client. The SA negotiation is completed in my logs, and a proposal is chosen.
    Also, if I understand it correctly, the OS change is only about default values, but it doesn't mean you can't select it manually. There is no visible mismatch in our settings.
    Thanks anyway for your suggestions.

    Terms & ConditionsAccessibility statement