Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssanga
Staff & Editor
Staff & Editor

Created on ‎02-17-2025 10:16 PM Edited on ‎05-27-2025 05:07 PM

Article Id 377183

Technical Tip: SSL VPN SAML Authentication failure due to missing SAML Metadata on FortiGate

Description

This article describes an issue where SSL VPN users using SAML authentication are unable to connect when SAML metadata is missing on the FortiGate.

The problem occurs when the reserved internal kernel UDP socket 8900 of the SSL VPN process is occupied by the hatalk daemon, causing the sslvpnd process to crash, which in turn leads to the removal of the metadata by FortiGate.
Scope FortiGate v7.2.10.
Solution

SSL VPN users using SAML authentication fail to connect in both tunnel mode and web mode. The following errors appear in the SAML debug logs:

diagnose debug application samld -1
diagnose debug enable
gen_sp_server [309]: Failed to create SP
samld_send_common_reply [91]: Code: 1, id: 3021, pid: 24468, len: 16, data_len 0
samld_send_common_reply [119]: Sent resp: 16, pid=24468, job_id=3021.
samld_process_request [145]: len=457, cmd=0, pid=24469, job_id=3021
samld_process_request [162]: Received 457, 0x1919670

It is observed that the saml metadata file gets deleted and the UDP kernel socket 8900 is bound to the hatalk daemon instead of sslvpnd process.
Since port 8900 is occupied by another daemon (in this case, hatalk), the first child process of sslvpnd fails to start.

This process is responsible for creating the SAML metadata when all sslvpnd processes are restarted. As a result, the SAML metadata cannot be generated, which can be verified using the following commands:

diagnose vpn ssl saml-metadata <SAML name>
stat('/dev/cmdb/.hidden/sslvpn/tmp/0-saml-sp-meta.xml') failed: No such file or directory

diagnose system udpsock | grep 8900
127.0.0.1:8900->127.0.0.1:701 state=established txq=0 rxq=0 uid=0 inode=5873800 process=10226/hatalk

This issue has been resolved in FortiOS versions 7.4.8 and 7.6.3.

 

Workaround 1:
Delete and reconfigure the SAML configuration. The issue may resurface if FortiGate is rebooted or the sslvpnd daemons are restarted.


Note:

SAML metadata is also not generated when the configuration has an incorrect/invalid idp-cert.

Workaround2:
Change FortiGate's daemon port range. This will require a reboot of the FortiGate:


config sys global
    set ip-src-port-range 10000-65535
end

General debug information required by FortiGate TAC for investigation:

  1. Debugs:

diagnose debug application samld -1
diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug console timestamp enable
diagnose debug enable

 

Reproduce the issue,

 

diagnose debug disable

diagnose debug reset

diagnose vpn ssl saml-metadata <SAML name>
diagnose ip udp list
diagnose sys udpsock
fnsysctl ps

  1. TAC Report:

execute tac report

  1. Configuration file of the FortiGate.
1175
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.