Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssanga
Staff & Editor
Staff & Editor

Created on ‎01-09-2026 12:17 AM Edited on ‎01-12-2026 12:37 PM By Community Manager

Article Id 425935

Technical Tip: Dial-up IPsec VPN fails to connect for users with large group names or many groups

Description

This article describes an issue where dial-up IPsec VPN users may fail to connect if the authentication server returns large group names or many groups.
Scope

FortiGate IKEv2.

FortiOS v7.4.9 and earlier, v7.6.4 and earlier.
Solution

VPN users may fail to connect to a dial-up IPsec VPN when the user belongs to multiple groups.
On affected firmware versions, the maximum RADIUS packet size that the EAP proxy can successfully receive internally from the fnbamd daemon is 8192 bytes. Messages larger than the maximum are discarded, and the fnbamd daemon shows a RADIUS connection timeout.

During the issue, the following logs may be seen in fnbamd and eap_proxy debugs.

 

diagnose debug application fnbamd -1

diagnose debug application eap_proxy -1

diagnose debug enable

.

.

[1175] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 127.0.0.1:1812, source address is null, protocol number is 17, oif id is 0
[354] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
RADIUS SRV: Received 8192 bytes from 127.0.0.1:2002
[871] __rad_rxtx-Sent radius req to server 'EAP_PROXY': fd=11, IP=127.0.0.1(127.0.0.1:1812) code=1 id=3 len=9709 <<<<<<<
[880] __rad_rxtx-Start rad conn timer.
RADIUS SRV: Received data - hexdump(len=8192):
01 03 25 ed 82 c4 79 cf 99 b4 eb 72 3b ae c3 89 e7 3a 23 ad 4f 27 02 4b 00 25 01 34 39 32 36 45
.
.
RADIUS: Invalid message length
RADIUS SRV: Parsing incoming RADIUS frame failed
[731] __rad_conn_timeout-Connction with EAP_PROXY:127.0.0.1 timed out.


In the following firmware versions, the maximum EAP message size has been increased, which increases the maximum number of groups that can be successfully received:

  • v7.4.10 (scheduled to be released January 2026).
  • v7.6.5 (available to download from the Fortinet Support portal).
  • v8.0.0 (scheduled to be released in March 2026).

 

These timelines for firmware release are estimated and may be subject to change.
General debug information required by FortiGate TAC for investigation:

  • Debugs:

 

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application ike -1
diagnose debug application eap_proxy -1
diagnose debug application samld -1
diagnose debug enable

 

Reproduce the issue. Disable the debug with:


diagnose debug reset

diagnose debug disable

 

  • TAC Report:

execute tac report

 

Or:

 

diagnose debug report

 

The following article also shows steps to collect the debug logs & TAC report: Technical Tip: Download Debug Logs and 'execute tac report'.

 

  • Configuration file of the FortiGate.
Labels:
337
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.