When connecting to the IPsec remote access VPN, FortiClient prompts the Single Sign-On (SSO) login page. After successful authentication, the FortiClient may sometimes remain connected.

Running the following IKE debug commands might not display any IKE output on the FortiGate, which indicates a configuration issue:

diagnose debug disable
diagnose debug reset
diagnose vpn ike log filter rem-addr4 <client public ip>
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug application eap_proxy -1
diagnose debug enable

Verify the IPsec VPN configuration on the FortiGate. Ensure that the SSO group is configured only in one location:

• Either under the IPsec remote access configuration (phase1-interface).
• Under the firewall policy, not both.

If the SSO group is configured in both places, remove it from one configuration and test the VPN connection again.

If the issue persists, collect the following logs and open a ticket with TAC support at the Fortinet Support Portal.

Run the following commands on the FortiGate CLI

diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 <client public ip>
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application samld -1
diagnose debug application ike -1
diagnose debug application eap_proxy -1
diagnose debug enable

Replicate the issue by connecting to the VPN from the FortiClient. After issue replication, please run the following commands to stop the debug.

diagnose debug disable
diagnose debug reset