Troubleshooting Tip: FortiClient EMS Serial Number (SN) verification is enabled by default, which cause IPsec dial-up VPN connections to fail.

sdebnath · ‎05-01-2025

Description

This article describes how to resolve IPsec dial-up VPN failure due to EMS serial number verification.

Scope

FortiOS versions v7.6.x and later.

Solution

In FortiOS 7.6.x, FortiClient EMS SN verification is enabled by default for remote dial-up IPsec VPN configurations. During VPN connection attempts using FortiClient, the system checks for a valid EMS SN. If the FortiClient being used is a free version or lacks a valid EMS SN, the VPN connection fails (refer to the attached screenshot for details).

IPSEC EMS checked by default.jpg

IPSEC Debug.jpg

FortiClient error message is shown as below:

EMS (1).jpg

To resolve this issue and ensure successful VPN connectivity for remote endpoints, disable the FortiClient EMS SN verification option during IPsec VPN creation using the IPsec VPN Wizard. This can be done by unchecking the 'EMS SN Verification' checkbox in the VPN configuration settings (see the attachment).

Unchecked EMS SN.jpg

From the CLI:

config vpn ipsec phase1-interface
edit <name> <----- This will be the tunnel name.
set ems-sn-check disable
next
end

Note:
FortiClient EMS SN verification can also be enabled in the global setting. To verify that, use the following commands:

config system global
set vpn-ems-sn-check {enable | disable}
end

Related documents:
Enhancing IPsec security using EMS SN verification

Troubleshooting Tip: FortiClient EMS Serial Number (SN) verification is enabled by default, which cause IPsec dial-up VPN connections to fail.

You are leaving our website