Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
idumancic
Staff
Staff

Created on ‎08-26-2025 07:28 AM Edited on ‎09-02-2025 01:38 AM By Moderator

Article Id 408078

Troubleshooting Tip: Setting to check on FortiClient configuration for IPsec VPN with SAML-based authentication

Description

This article describes which settings should be checked on the FortiClient side when facing a gateway validation failed error in FortiGate debug in IPsec VPN with SAML-based authentication setup.
Scope FortiGate, FortiClient.
Solution

This article describes a possible issue that can occur when using SAML authentication with IPsec. When EAP is enabled, the gateway validation failed error can still occur, and after some time, the connection expires due to phase1 down.

 

Settings to check:

  • Check if the local ID and peer ID match on both sides, on FortiClient and FortiGate.
  • Check if the EAP is enabled in FortiGate.
  • Check the status of the xAuth parameter in FortiClient.

 

Example, if the parameter is enabled:

 

xAuth enabled on FortiClient:
<prompt_certificate>1</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
</xauth>

 

Debug from FortiGate:

 

ike 1:SRA_SAML:165: received FCT-UID = 9B05711EA27E4E66B7C6BD5721D1DD06
ike 1:SRA_SAML:165: received EMS SN : FCTEMS8822004504
ike 1:SRA_SAML:165: received EMS tenant ID : 00000000000000000000000000000000
ike 1:SRA_SAML:165: peer identifier IPV4_ADDR 10.0.40.111
ike 1:SRA_SAML:165: re-validate gw ID
ike 1:SRA_SAML:165: gw validation OK
ike 1:SRA_SAML:165: responder preparing EAP identity request

 

Example, if the parameter is disabled:

 

xAuth disabled on FortiClient:
<prompt_certificate>1</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>0</enabled>
<prompt_username>1</prompt_username>
</xauth>

 

Debug from FortiGate:

 

ike 1:SRA_SAML:167: received FCT-UID = 9B05711EA27E4E66B7C6BD5721D1DD06
ike 1:SRA_SAML:167: received EMS SN : FCTEMS8822004504
ike 1:SRA_SAML:167: received EMS tenant ID : 00000000000000000000000000000000
ike 1:SRA_SAML:167: peer identifier IPV4_ADDR 10.0.40.111
ike 1:SRA_SAML:167: re-validate gw ID
ike 1:SRA_SAML:167: gw validation failed
ike 1:SRA_SAML:167: schedule delete of IKE SA b8d8e3829cb8dbdf/b7bf2bca4e33e462
ike 1:SRA_SAML:167: scheduled delete of IKE SA b8d8e3829cb8dbdf/b7bf2bca4e33e462
ike 1:SRA_SAML: connection expiring due to phase1 down
ike 1:SRA_SAML: deleting
ike 1:SRA_SAML: deleted

 

If the xAuth is disabled in FortiClient, the gateway validation will fail.

 

Useful commands to check the debugs in FortiGate:

 

diagnose debug reset

diagnose debug console time enable

diagnose debug application fnbamd -1

diagnose debug application samld -1

diagnose debug application eap_proxy -1

diagnose vpn ike log filter rem-addr4 <RemoteClientIp>

diagnose debug application ike -1

diagnose debug enable
236
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.