Created on 09-24-2024 05:25 AM Edited on 11-07-2024 12:19 AM By Jean-Philippe_P
Description | This article describes how to troubleshoot the IPSec SAML Dial-up tunnel if it fails to connect. |
Scope | FortiGate, FortiClient. |
Solution |
For initial deployment, review this KB article: Technical Tip: How to configure Microsoft Entra ID SAML authentication for Dial-up IPsec VPN.
If the dial-up tunnel failed to connect there could be multiple reasons.
diag debug console timestamp enable diag debug application eap_proxy -1 diag debug enable
Initiate the SAML connection and review if SAML authentication passed, if logs are stuck and no IKE logs are found most cases the issue is with the remote auth timeout value: samld_send_common_reply [99]: Attr: 11, 1449, https://login.microsoftonline.com/xxxxxx- send_common_reply [119]: Sent resp: Analyze the following output:
show full sys global | grep remoteauthtimeout
By default value is set to 5, which means 5 seconds, then requires to increase in the time according login process as SAML authentication will take more than 5 seconds.
Refer to the article for remoteauth: Technical Tip: Explaining global 'set remoteauthtimeout', user radius 'set timeout', and how they wo...
Related articles: Troubleshooting Tip: Understanding message 'no proposal chosen' in IKE debug logTechnical Tip: IPSec VPN diagnostics – Deep analysis
ike 0:Test-VPN:98620: remote port change 1011 -> 64916 ike 0:Test-VPN:98620: sent IKE msg (AUTH_RESPONSE): 2.94.156.100:4500->4.4.54.100:64916, len=128, vrf=0, id=f293d467fa21a5a3/ab2ab79bc3e06fb1:00000001
To review the auth user group:
show VPN ipsec phase1-interface <VPN Name>
config vpn ipsec phase1-interface set authusrgrp SAML_GRP |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.