When connecting to the IPsec remote access VPN, FortiClient prompts the Single Sign-On (SSO) login page. After successful authentication, the FortiClient may sometimes remain connected.

Running the following IKE debug commands might not display any IKE output on the FortiGate, which indicates a configuration issue:

diagnose debug disable
diagnose debug reset
diagnose vpn ike log filter rem-addr4 <client public ip>
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug application eap_proxy -1
diagnose debug enable

Verify the IPsec VPN configuration on the FortiGate. Ensure that the SSO group is configured only in one location:

• Either under the IPsec remote access configuration (phase1-interface).
• Under the firewall policy, not both.

If the SSO group is configured in both places, remove it from one configuration and test the VPN connection again.

It is recommended to configure SAML groups either in the IPsec Phase 1 configuration using set authusrgrp <group-name> or in the firewall policy using set groups <group-name>. Refer to the following documentation for more details.
SAML-based authentication for FortiClient remote access dialup IPsec VPN clients.

If the issue persists, collect the following logs and open a ticket with TAC support at the Fortinet Support Portal.

Run the following commands on the FortiGate CLI:

diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 <client public ip>
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application samld -1
diagnose debug application ike -1
diagnose debug application eap_proxy -1
diagnose debug enable

Replicate the issue by connecting to the VPN from the FortiClient. After issue replication, please run the following commands to stop the debug.

diagnose debug disable
diagnose debug reset

Related documents:

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients