Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbhavsar
Staff
Staff

Created on ‎05-05-2025 06:46 AM Edited on ‎06-03-2025 10:05 PM By Community Manager

Article Id 390600

Troubleshooting Tip: Dial-up IPsec tunnel Phase 1 negotiation error due to 'peer EMS SN check failed'

Description This article describes a dial-up IPsec tunnel phase 1 negotiation error.
Scope FortiGate.
Solution

This EMS SN verification feature was initially introduced in FortiGate v7.6 for enhancing VPN security

 

Below error message is observed in the VPN logs while connecting:


date=2025-04-25 time=15:58:57 eventtime=1745611136994194580 tz="-0400" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=10.1.0.1 locip=xx.xx.xx.xx remport=500 locport=500 outintf="lan" cookies="f42203aec8f95b56/82a2f979b0b88623" user="10.1.0.1" group="N/A" useralt="N/A" eapuser="Test" eapauthgroup="IPSec-VPN" assignip=N/A vpntunnel="Dialup-IPSec" status="negotiate_error" reason="peer EMS SN check failed" fctuid="9EB7FB974DA743C8B6DDB5DFXXXXXXXX" advpnsc=0

 

ike1.PNG

 

FortiClient error message is shown as below:

 

EMS (1).jpg

 

For resolution, 'ems-sn-check' needs to be disabled on IPSec phase1-interface settings:

 

config vpn ipsec phase1-interface
    edit "Dialup-IPSec"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 10.1.0.15
        set proposal aes128-sha1 aes256-sha256
        set comments "Test "
        set dhgrp 5
        set eap enable
        set eap-identity send-request
        set wizard-type dialup-forticlient
        set authusrgrp "IPSec-VPN"
        set nattraversal disable
        set ems-sn-check enable  <---- Disable this setting.
        set transport udp
        set assign-ip-from name
        set ipv4-split-include "Route_Internal"
        set ipv4-name "IPSec_range"
        set save-password enable
        set client-auto-negotiate enable
    next
end

 

ike2.PNG

 

The EMS SN check feature can be enabled or disabled from the IPsec GUI starting from v7.6.0+. By default, the ems-sn-check setting is disabled.

 

For more information on this feature, refer to the following documents:

Enhancing VPN security using EMS SN verification

Explaining the effects of the 'set esn require'/'ems-sn-check' setting on Phase-1 of IPsec VPN Tunne... 
1121
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.