Troubleshooting Tip: FortiClient VPN Android fails to connect to VPN after FortiGate upgrade to FortiOS v7.6.5

Jaye17 · ‎01-04-2026

Description

This article describes the issue wherein the connection from FortiClient VPN Android fails to establish a VPN connection to FortiGate after upgrading FortiGate to FortiOS 7.6.5. The error observed on FortiClient reads, 'Error: Could not establish session on the IPsec daemon'.

Scope

FortiClient VPN Android. FortiGate v7.6.5.

Solution

Post upgrade of FortiGate to FortiOS version 7.6.5, connections from FortiClient VPN Android fail. This issue is only affecting FortiClient VPN Android.

FCT Error.png

The error below ('FCT-UID parsing error') is observed while running IKE debugs.

ike V=root:0:For_android_0:1:13: FCC request len = 225, data = 'VER=1
FCTVER=FortiClient_Android_v7.4.3.0185
UID=156C5C5B58525B545D5A0007980B552549383254795333756E6B6E6F776E5698
IP=192.168.0.20
HOST=localhost
USER=fortinet
OSVER=Android Linux 6.1.57-android14-11-g792270e27ab1-ab11683491'
ike V=root:0:For_android_0:1: FCT-UID parsing error
ike V=root:0:For_android_0:1:13: peer proposal is: peer:0:10.0.1.10-10.0.1.10:0, me:0:0.0.0.0-255.255.255.255:0

ike V=root:0:VPN_0:247:VPN:1827: trying
ike V=root:0:VPN_0:247:VPN:1827: matched phase2
ike V=root:0:VPN_0:247:VPN:1827: dynamic client
ike V=root:0:VPN_0:247:VPN:1827: my proposal:
ike V=root:0:VPN_0:247:VPN:1827: proposal id = 1:
ike V=root:0:VPN_0:247:VPN:1827: protocol id = IPSEC_ESP:
ike V=root:0:VPN_0:247:VPN:1827: PFS DH group = 2
ike V=root:0:VPN_0:247:VPN:1827: trans_id = ESP_AES_CBC (key_len = 128)
ike V=root:0:VPN_0:247:VPN:1827: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike V=root:0:VPN_0:247:VPN:1827: type = AUTH_ALG, val=SHA1
ike V=root:0:VPN_0:247:VPN:1827: trans_id = ESP_3DES
ike V=root:0:VPN_0:247:VPN:1827: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike V=root:0:VPN_0:247:VPN:1827: type = AUTH_ALG, val=SHA1
ike V=root:0:VPN_0:247:VPN:1827: incoming proposal:
ike V=root:0:VPN_0:247:VPN:1827: proposal id = 1:
ike V=root:0:VPN_0:247:VPN:1827: protocol id = IPSEC_ESP:
ike V=root:0:VPN_0:247:VPN:1827: PFS DH group = 2
ike V=root:0:VPN_0:247:VPN:1827: trans_id = ESP_AES_CBC (key_len = 128)
ike V=root:0:VPN_0:247:VPN:1827: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:VPN_0:247:VPN:1827: type = AUTH_ALG, val=SHA1
ike V=root:0:VPN_0:247:VPN:1827: trans_id = ESP_AES_CBC (key_len = 128)
ike V=root:0:VPN_0:247:VPN:1827: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:VPN_0:247:VPN:1827: type = AUTH_ALG, val=SHA1
ike V=root:0:VPN_0:247:VPN:1827: trans_id = ESP_3DES
ike V=root:0:VPN_0:247:VPN:1827: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:VPN_0:247:VPN:1827: type = AUTH_ALG, val=SHA1
ike V=root:0:VPN_0:247:VPN:1827: trans_id = ESP_3DES
ike V=root:0:VPN_0:247:VPN:1827: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:VPN_0:247:VPN:1827: type = AUTH_ALG, val=SHA1
ike V=root:0:VPN_0:247:VPN:1827: negotiation result
ike V=root:0:VPN_0:247:VPN:1827: proposal id = 1:
ike V=root:0:VPN_0:247:VPN:1827: protocol id = IPSEC_ESP:
ike V=root:0:VPN_0:247:VPN:1827: PFS DH group = 2
ike V=root:0:VPN_0:247:VPN:1827: trans_id = ESP_AES_CBC (key_len = 128)
ike V=root:0:VPN_0:247:VPN:1827: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike V=root:0:VPN_0:247:VPN:1827: type = AUTH_ALG, val=SHA1
ike V=root:0:VPN_0:247:VPN:1827: set pfs=MODP1024
ike V=root:0:VPN_0:247:VPN:1827: using udp tunnel mode.
ike V=root:0: comes x.x.x.x:4500->x.x.x.x:4500,ifindex=28,vrf=0,len=112....
ike V=root:0: IKEv1 exchange=Informational id=xx/xx len=108 vrf=0
ike 0: in [hash]
ike 0:VPN_0:247: dec [hash]
ike V=root:0:VPN_0:247: notify msg received: R-U-THERE
ike 0:VPN_0:247: enc [hash]
ike 0:VPN_0:247: out [hash]
ike V=root:0:VPN_0:247: sent IKE msg (R-U-THERE-ACK): 203.106.166.5:4500->203.106.180.73:4500, len=92, vrf=0, id=xx/xx
ike V=root:0:VPN_0:247:VPN:1827: replay protection enabled
ike V=root:0:VPN_0:247:VPN:1827: SA life soft seconds=28785.
ike V=root:0:VPN_0:247:VPN:1827: SA life hard seconds=28800.
ike V=root:0:VPN_0:247:VPN:1827: IPsec SA selectors #src=1 #dst=1
ike V=root:0:VPN_0:247:VPN:1827: src 0 7 0:0.0.0.0-255.255.255.255:0
ike V=root:0:VPN_0:247:VPN:1827: dst 0 7 0:10.81.235.10-10.81.235.10:0
ike V=root:0:VPN_0:247:VPN:1827: add dynamic IPsec SA selectors 282
ike V=root:0:VPN_0:247:VPN:1827: added dynamic IPsec SA proxyids new 1 282
ike V=root:0:VPN:1827: add route 10.81.235.10/255.255.255.255 gw 203.106.180.73 oif VPN(34) metric 15 priority 1
ike V=root:0:VPN_0:247:VPN:1827: tunnel 7 of VDOM limit 0/0
ike V=root:0:VPN_0:247:VPN:1827: add IPsec SA: SPIs=1b6004fe/07a2ad69
ike 0:VPN_0:247:VPN:1827: IPsec SA dec spi 1b6004fe key [hash]
ike 0:VPN_0:247:VPN:1827: IPsec SA enc spi 07a2ad69 key [hash]
ike V=root:0:VPN_0:247:VPN:1827: added IPsec SA: SPIs=1b6004fe/07a2ad69
ike V=root:0:VPN_0:247:VPN:1827: sending SNMP tunnel UP trap
ike V=root:0:VPN_0: tunnel up event assigned address 10.81.235.10
ike V=root:0:VPN_0: EMS: FCT UID not ready

However, on the FortiGate, the connection shows phase 2 was successfully negotiated, and the tunnel was up. On FortiClient VPN Android, the connection failed.

FortiOS v7.6.5 now validates and expects the length of the FCT UID to be 32 bytes. The issue is caused by FortiOS receiving a 64-byte UID from FortiClient Android; previous FortiOS versions truncated the longer FortiClient Android UID to ensure it was 32 bytes. From FortiOS v7.6.5 onward, this UID truncation is no longer done, which leads to the parsing error seen in the debugs.

This issue has been reported and is currently being investigated by the engineering team. The fix is expected to be applied to an upcoming FortiClient VPN Android release.

Workaround:

Downgrade to FortiOS v7.6.4 and lower.

Related article:

Technical Tip: IPsec tunnels not connecting after upgrade to v7.6.5

Troubleshooting Tip: FortiClient VPN Android fails to connect to VPN after FortiGate upgrade to FortiOS v7.6.5

You are leaving our website