Technical Tip: IPsec VPN connection fails after upgrade to v7.4.9 if Azure AD auto-connect enabled on FortiClient and disabled on FortiGate

Matt_B · ‎12-09-2025

Description

This article describes an unsupported configuration that may cause VPN connections to fail after upgrade to FortiOS v7.4.9.

Scope

FortiOS v7.4.9, v7.6.3 and later.

Solution

If Azure AD auto-connect is enabled on the FortiClient but not configured on a FortiGate dialup IPsec VPN, FortiClient users can match the intended dialup IPsec gateway and connect to VPN in FortiOS v7.4.8 and earlier.

In FortiOS v7.4.9, v7.6.3 and later, the tunnel connection will fail with 'no matching gateway' if the FortiGate receives the AZURE_AD_AUTOCONNECT flag from FortiClient but this function is disabled on the IPsec phase1-interface.

diagnose debug application ike -1

diagnose debug enable

...

ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: responder received SA_INIT msg
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: VID forticlient connect license <>
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: VID Fortinet Endpoint Control <>
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: VID Forticlient EAP Extension <>
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: received notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: received notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: received notify type AZURE_AD_AUTOCONNECT
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: received notify type CHILDLESS_IKEV2_SUPPORTED
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: ignoring unauthenticated notify payload (CHILDLESS_IKEV2_SUPPORTED)
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: received notify type VPN_NETWORK_ID
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: NETWORK ID : 0
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: incoming proposal:
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: proposal id = 1:
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: protocol = IKEv2:
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: encapsulation = IKEv2/none
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=ENCR, val=AES_CBC (key_len = 128)
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=DH_GROUP, val=MODP2048.
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: proposal id = 2:
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: protocol = IKEv2:
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: encapsulation = IKEv2/none
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=ENCR, val=AES_CBC (key_len = 192)
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=DH_GROUP, val=MODP2048.
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: my proposal, gw saml-vpn:
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: proposal id = 1: <-- proposal DH group and encryption methods match.
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: protocol = IKEv2:
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: encapsulation = IKEv2/none
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=ENCR, val=AES_CBC (key_len = 128)
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=DH_GROUP, val=MODP2048.
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: lifetime=86400
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: proposal id = 2:
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: protocol = IKEv2:
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: encapsulation = IKEv2/none
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=ENCR, val=AES_CBC (key_len = 192)
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: type=DH_GROUP, val=MODP2048.
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: lifetime=86400
ike V=root:0:eb7b8a3ad1efdd55/0000000000000000:45348: no proposal chosen
ike V=root:Negotiate SA Error: [12071]

...

diagnose debug disable

diagnose debug reset

show full-configuration vpn ipsec phase1-interface saml-vpn | grep azure-ad
set azure-ad-autoconnect disable

This change is a result of a fix for the known issue ID# 1125487 listed in FortiOS v7.4.8 Release Notes | Known Issues.

Resolution:

The VPN connection issue after upgrade only occurs for an unsupported configuration. To resolve this, FortiClient and FortiGate Azure AD auto-connection settings must be modified to match on both sides before or after FortiOS upgrade. If the Azure AD autoconnect settings do not match, the feature is already not in use and it is therefore recommended to disable the Azure AD autoconnect feature in FortiClient EMS remote connection profile:

<azure_auto_login>

<azure_app />

</azure_auto_login>

Alternatively, complete the Azure AD autoconnect configuration on FortiGate to allow the feature. Completing the autoconnect configuration is not transparent to end users and may cause issues for existing users connecting to VPN until correctly configured. See FortiClient v7.4.4 EMS Administration Guide | Autoconnect to IPsec VPN using Entra ID logon session ....

Technical Tip: IPsec VPN connection fails after upgrade to v7.4.9 if Azure AD auto-connect enabled on FortiClient and disabled on FortiGate

You are leaving our website