Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
btan
Staff & Editor
Staff & Editor

Created on ‎01-06-2025 03:07 AM Edited on ‎04-15-2025 11:21 PM By Community Manager

Article Id 368288

Troubleshooting Tip: FortiClient free version can connect to SAML IPsec VPN, but FortiClient full client version is unable to connect to SAML IPsec VPN

 

Description This article describes how to troubleshoot a scenario whereby when using the FortiClient free version, the user can connect to SAML IPsec VPN, but when using the FortiClient full version, the user is unable to connect to SAML IPsec VPN.
Scope FortiClient v7.2.4 and above.
Solution

IPsec VPN with SAML is a new supported feature starting from FortiClient v7.2.4, see IPsec VPN SAML-based authentication.

Test case 1: When using the FortiClient free version, the user can connect to SAML IPsec VPN.
Test case 2: When installing the FortiClient full version and joining FortiClient EMS, the user cannot connect to SAML IPsec VPN.

 

When reproducing the issue in Test case 2, run IKE debug on FortiGate:

 

diagnose debug disable

diagnose debug reset
diagnose debug console timestamp en
diagnose vpn ike log filter rem-addr4 x.x.x.x <-- Replace x.x.x.x with the endpoint public IP.
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug application samld -1
diagnose debug enable
 
The below output can be seen:

2024-11-25 00:07:49.678804 ike 0:VPN-SAML1: connection expiring due to phase1 down <---------
2024-11-25 00:07:49.678822 ike 0:VPN-SAML1: deleting
2024-11-25 00:07:49.678843 ike 0:VPN-SAML1: deleted
2024-11-25 00:07:53.222643 ike 0: comes 71.163.111.183:4500->173.79.222.162:4500,ifind
ex=7,vrf=0....
2024-11-25 00:07:53.222700 ike 0: IKEv2 exchange=AUTH id=f08b5ff17757de23/feb6fae6e6da
1398:00000001 len=672
 
To disable debugs on FortiGate:
 
diagnose debug disable
diagnose debug reset
 
In the FortiClient logs, the below output can be seen:

[2024-11-25 00:47:05.6197183 UTC-04:00] [1480:7836] [FortiVPN 2223 error] !!! fortivpn::StateMachine::HandleTunnelDisconnected session 1 (companyA\imageadmin) "SAML-VPN" disconnected unexpectedly!
[2024-11-25 00:52:51.9251778 UTC-04:00] [1480:7836] [FortiVPN 2223 error] !!! fortivpn::StateMachine::HandleTunnelDisconnected session 1 (companyA\imageadmin) "SAML-VPN" disconnected unexpectedly!
[2024-11-25 00:59:27.0425154 UTC-04:00] [1480:7836] [FortiVPN 1874 error] fortivpn::StateMachine::HandleTunnelConnectFailed session 1's (companyA\imageadmin) vpn connection failed (reason: "Failed Unknown")
[2024-11-25 00:59:27.0434631 UTC-04:00] [1480:7836] [FortiVPN 2223 error] !!! fortivpn::StateMachine::HandleTunnelDisconnected session 1 (companyA\imageadmin) "SAML-VPN" disconnected unexpectedly!

This can be due to EAP is not being enabled in the FortiClient EMS endpoint profile.
To fix this, go to FortiClient EMS -> Endpoint Profiles -> Remote Access -> (select) -> Edit -> (select the tunnel) -> Edit -> Advanced Settings -> Turn on 'Enable XAuth' -> Save the tunnel -> Save the profile.
 

kb-jan2025-1.PNG 
This Xauth setting is an EAP setting, it is displayed wrongly as 'Xauth' in GUI in FortiClient EMS.
This GUI displays an inaccurate issue that is planned to be fixed in the future FortiClient EMS version.

 

Related article:

Troubleshooting Tip: IPsec Tunnel (debugging IKE) 
Labels:
2228
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.