Troubleshooting Tip: How to troubleshoot IPSec VPN IKEv2 with certificate authentication issue

jie · ‎10-23-2025

Description

This article describes how to troubleshoot IPSec VPN IKEv2 with certificate authentication.

Scope

FortiClient, FortiClient EMS.

Solution

Error:

[915] fnbamd_cfg_get_radius_acct_servers-Error finding rad server bburgess
[353] fnbamd_acct_start_STOP-Error getting radius server
[1477] create_acct_session-Error start acct type 7
[2562] handle_req-Error creating acct session 7

[915] fnbamd_cfg_get_radius_acct_servers-Error finding rad server bburgess
[308] fnbamd_acct_start_START-Error getting radius server
[1477] create_acct_session-Error start acct type 6
[2562] handle_req-Error creating acct session 6

A validation with a sniffer to see if the FortiGate is fragmenting and sending at 4500:
In this example, the sniffer confirms the pattern: the AUTH_RESPONSE (~3 KB) is sent to Client (177.173.X.X) via 4500 and fragmented at the IP level ((frag ... @0+)).

If any NAT/ISP/firewall along the path does not reassemble/allow fragments, the peer never receives the complete response, and the session times out.

FG60F # diagnose sniffer packet any "host 177.173.X.X and (port 500 or port 4500)" 4 0 l
interfaces=[any]
filters=[host 177.173.X.X and (port 500 or port 4500)]
2025-11-11 14:12:30.415269 wan2 in 177.173.X.X.11705 -> 177.220.X.X.500: udp 369
2025-11-11 14:12:30.425691 wan2 out 177.220.X.X.500 -> 177.173.X.X.11705: udp 281
2025-11-11 14:12:30.773796 wan2 in 177.173.X.X.11709 -> 177.220.X.X.4500: udp 2468 (frag 8548:1424@0+)
2025-11-11 14:12:30.808332 wan2 out 177.220.X.X.4500 -> 177.173.X.X.11709: udp 3092 (frag 34615:1480@0+)

2025-11-11 14:12:30.808375 ike V=root:0:IPSecCertific_0:481706: sent IKE msg (AUTH_RESPONSE:( 177.220.X.X:4500->177.173.X.X:11709, len=3088, vrf=0, id=d3865dd3cb6c8c35/2c9c6b9d73c1
97d2:00000001, oif=6
2025-11-11 14:12:30.808491 ike V=root:0:IPSecCertific_0: link is idle 6 177.220.X.X->177.173.X.X:11709 dpd=1 seqno=1 rr=0
2025-11-11 14:12:32 disconnect_server_only[Petroserver]: disconnecting
2025-11-11 14:12:32 authd_timer_run: 1 expired
2025-11-11 14:12:32 authd_epoll_work: timeout 3980
2025-11-11 14:12:33.779641 ike V=root:0: comes 177.173.X.X:11709->177.220.X.X:4500,ifindex=6,vrf=0,len=2468....
2025-11-11 14:12:33.779728 ike V=root:0: IKEv2 exchange=AUTH id=d3865dd3cb6c8c35/2c9c6b9d73c197d2:00000001 len=2464

This error could be caused by fragmented IKE packets. Kindly enable the tag <enable_ike_fragmentation> = 1 in the FortiClient EMS IPSec VPN profile, as shown in the screenshot below.

This is because when using cert auth, then makes the IKE_AUTH response bigger than the MTU of the link, and when IKE is fragmented at the IP layer, a lot of firewalls block it. IKE Fragmentation forces the fragmentation to occur in the IKE layer rather than the IP layer.

To enable IKE fragmentation, go to FortiClient EMS -> Endpoint Profiles -> Remote Access -> Select the assigned VPN profile, then phase 1, toggle on the option.

This option can also be enabled via XML, as shown below.

On the FortiGate side, to configure IKEv2 fragmentation:

config vpn ipsec phase1-interface
edit ike
set ike-version 2
set fragmentation [enable|disable]
set fragmentation-mtu <500-16000>
next

Troubleshooting Tip: How to troubleshoot IPSec VPN IKEv2 with certificate authentication issue

You are leaving our website