ZTNA SSO showing as logged in but VPN doesn't connect

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Hello,

If ZTNA SSO shows as logged in but the VPN does not connect, follow these troubleshooting steps:

1. Verify ZTNA Policy Configuration: Ensure that the ZTNA policy is correctly configured and matches the client device's attributes. Check for any missing information in the policy that might prevent the connection.
2. Check Security Posture Tags: If using security posture tags, ensure that the client device has the correct tags assigned and that they match the policy requirements.
3. Review VPN Configuration: Confirm that the VPN settings, such as the IKE version and remote gateway settings, are correctly configured. Ensure that the `remote-gw-match` and `remote-gw-ztna-tags` settings are properly set if applicable.
4. Examine Logs: Check the FortiGate logs for any error messages or warnings related to the VPN connection attempt. This can provide insights into what might be causing the issue.
5. Network Connectivity: Ensure that there are no network connectivity issues between the client device and the FortiGate. Verify that the necessary ports are open and that there are no firewall rules blocking the connection.
6. EMS Connection: Ensure that the FortiClient EMS connection is stable and that the client device is properly registered and managed by EMS.

If the issue persists after these steps, further investigation into the specific configuration and network environment may be necessary.

Thanks, I've checked all that as much as I can and it does all look ok but do I need EMS for this to work on the windows machines as it's not been needed for the iPads to work ?

I've been advised by a supplier that we don't need EMS or ZTNA for Windows to connect using SSO so I've gone back to the free FortiClient VPN only program but I'm still getting the same issue in that the SSO window (either the FortiClient internal or Windows external browser) shows successfully logged in but then nothing happens...the VPN only shows "disconnect" even though it's not actually connected (and doesn't even try). If I don't use SSO then it works fine so I know the VPN settings are correct. Looking at a lot of forums there is talk of having to get a "custom installer" with a fix to it but this was in version 7.2 and I've got the latest 7.4 so I'm stuck on what to check next as the logs don't show anything either ?

Just in addition that i've been reading some other posts that have got it working and have ran a fnbamd debug and got this below but nothing else after it....looking at the other post here for example there should be a lot more ( Solved: Forticlient IPSEC w/ SAML stuck in connecting - Page 2 - Fortinet Community )

FG # diagnose debug disable

FG # diagnose debug reset

FG # diagnose debug console timestamp enable

FG # diagnose debug enable

FG # diagnose debug application fnbamd 255
Debug messages will be on for 30 minutes.

FG # 2025-06-03 15:15:20 [2458] handle_req-Rcvd auth cache message
2025-06-03 15:15:20 [139] __saml_auth_cache_push-Hash bucket 163
2025-06-03 15:15:20 [145] __saml_auth_cache_push-Update 'B63B090E52CC4000B9266A724A85B24B', SAML_server='Azure', vfid=0
2025-06-03 15:17:20 [57] __auth_cache_maintainer-Continue the maintainer of Azure. Current entries: 1

I have also disabled EAP authentication on the VPN to see if this resolves it without success (so i think it should just do the SSO and if that works then the VPN should connect) 

Having not got this working on a Windows machine it looks like it's this that "should" be occurring: