Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssanga
Staff & Editor
Staff & Editor

Created on ‎09-08-2024 09:59 PM Edited on ‎05-29-2025 01:03 PM By Moderator

Article Id 339738

Troubleshooting Tip: IPsec SAML Authentication fails due to fnbamd daemon crash

Description This article describes a known issue where users fail to establish a Dial-up IPsec VPN with SAML Authentication.
Scope FortiGate v7.2.8, v7.2.9, v7.2.10, v7.4.1, v7.4.2, v7.4.3, v7.4.4.
Solution

Users may fail to establish a Dial-up IPsec VPN tunnel with SAML Authentication when FortiGate is running on the versions mentioned above. The problem can be verified by examining the logs as outlined below.

The following logs are seen in the debug and crash log outputs:


2024-05-31 16:23:46 [643] create_auth_session-Error starting authentication
2024-05-31 16:23:46 [1086] fnbamd_ext_idps_destroy-
2024-05-31 16:23:46 [1950] handle_req-r=5
2024-05-31 16:23:46 [1958] handle_req-Error starting session
2024-05-31 16:23:46 [209] fnbamd_comm_send_result-Sending result 5 (nid 0) for req 1456563250, len=2540
2024-05-31 16:23:46.888594 ike 0:SCN-IPSEC-VPN:296 EAP 1456563250 result FNBAM_ERROR
2024-05-31 16:23:46.888602 ike 0:SCN-IPSEC-VPN: EAP failed for user "91EB44FD191E47FCBA38713BD683A9FA"
2024-05-31 16:23:46.888616 ike 0:SCN-IPSEC-VPN: EAP response is empty
2024-05-31 16:23:46.888621 ike 0:SCN-IPSEC-VPN: connection expiring due to EAP failure

diagnose debug crashlog read
279: 2024-05-31 16:23:43 the killed daemon is /bin/fnbamd: status=0x6

 

In some cases,  the issue will happen even without seeing fnbamd crash in the crash log.

 

This issue has been resolved in v7.2.11, v7.4.5, and v7.6.1. 

Logs required by FortiGate TAC for investigation:

 

  1. Debugs:

 

diagnose vpn ike log filter rem-addr4/dst-addr4 x.x.x.x   <----- Client's Public IP to filter the debug for a specific user. 

diagnose debug application authd 60

diagnose debug application ike -1
diagnose debug application samld -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug console timestamp enable
diagnose debug enable

 

Note: 

IPsec VPN debug commands vary across different firmware versions. Refer to this article for more details: Troubleshooting Tip: IPsec Tunnel (debugging IKE)

 

To stop the debug, run the following commands:

 

   diagnose debug disable

   diagnose debug reset

 

  1. TAC Report:


execute tac report

  1. The configuration file of the FortiGate.

 

Note:

  • Bug ID 1023871: IPSec IKEv2 with SAML cannot match the Entra ID group during EAP due to a buffer size issue.
  • Bug ID 1039988: When performing a SAML authentication, authd gets stuck in a loop due to a CPU usage issue.
  • v7.2.11: Resolved issues
  • v7.4.5: Resolved issues
  • v7.6.1: Resolved issues
  • External browser support has been added as of FortiOS v7.6.1 and above.

 

Related article:
6258
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.