|
VPN users may fail to connect to dial-up IPSec VPN after upgrading FortiGate to v7.4.8 when the user belongs to multiple groups.
This issue occurs when a radius message from fnbamd is larger than 8192, where eap-proxy discards the message.
The following logs may be seen in the eap_proxy debugs.
[1175] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 127.0.0.1:1812, source address is null, protocol number is 17, oif id is 0
[354] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
RADIUS SRV: Received 8192 bytes from 127.0.0.1:2002 <<<<<<<
[871] __rad_rxtx-Sent radius req to server 'EAP_PROXY': fd=11, IP=127.0.0.1(127.0.0.1:1812) code=1 id=3 len=9709 <<<<<<<
[880] __rad_rxtx-Start rad conn timer.
RADIUS SRV: Received data - hexdump(len=8192): <<<<<<<
01 03 25 ed 82 c4 79 cf 99 b4 eb 72 3b ae c3 89 e7 3a 23 ad 4f 27 02 4b 00 25 01 34 39 32 36 45
.
.
RADIUS: Invalid message length
RADIUS SRV: Parsing incoming RADIUS frame failed
[731] __rad_conn_timeout-Connction with EAP_PROXY:127.0.0.1 timed out.
This issue has been resolved in:
v7.6.5 (available to download from the Fortinet Support portal).
v8.0.0 (scheduled to be released in March 2026).
These timelines for firmware release are estimated and may be subject to change.
General debug information required by FortiGate TAC for investigation:
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application ike -1
diagnose debug application eap_proxy -1
diagnose debug application samld -1
diagnose debug enable
Reproduce the issue.
diagnose debug reset
execute tac report
- Configuration file of the FortiGate.
|
