FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
kcheng
Staff
Staff
Article Id 284190
Description

This article describes the issue of the FortiClient iOS (VPN ONLY) version that failed to connect to SSL VPN with Azure SAML SSO with MFA after it was updated to version 7.2.2.0116. It has been rolled out on 22nd September 2023:

iOS.png

 

 

To identify the root cause, it is possible to enable the debug command on FortiGate:

 

diag vpn ssl debug-filter src-addr4 <Client’s PIP>

diag deb app sslvpn -1

diag deb en

 

For this issue specifically, it was observed that the client attempted to connect to the SSL VPN with DTLS, but there was DTLS timeout observed on the debug log and hence the connection was removed:

 

<Sample debug log>

[303:root:65f]DTLS established: DTLSv1 ECDHE-RSA-AES256-GCM-SHA384 from <Public IP>
...
[303:root:65f]sslvpn_dtls_timeout_check:312 waiting for client hello timeout.
[303:root:65f]Destroy sconn 0x7fa543fc00, connSize=0. (root)
[305:root:0]sslvpn_internal_remove_one_web_session:3381 web session (root:<username>:<Group>:<Public IP>:1 1) removed for tunnel connection setup timeout

Scope FortiClient (VPN ONLY) v7.2.2.0116.
Solution

There are 2 workarounds for this issue:

  1. Delete the FortiClient VPN ONLY app from iOS devices (iPhone, iPad), install the full version of FortiClient, and configure the SSL VPN settings accordingly on the connection page.

Note :

There is a trial period of 30 days for the full version of FortiClient if there is not a valid FortiClient EMS license.

 

  1. Disable dtls on FortiGate SSLVPN setting:

 

config vpn ssl settings
    set dtls-tunnel disable
end

 

The respective should be resolved in FortiClient VPN ONLY in version 7.2.3. Hence, implementing workaround option 2 would be preferred as option 1 has a limited 30-day trial period.

 

Do take note that the FortiClient VPN-only version is not entitled to TAC support. The support for the respective version is provided in this Forum post: cannot longer connect FortiClientVPN 7.2.2.0116 Azure SAML MFA.