IPsec VPN SAML-based authentication can be troubleshoot using ike and saml debugs as shown below:

diagnose vpn ike log-filter dst-addr4 x.x.x.x 

diagnose debug console timestamp enable

diagnose debug application  authd 60

diagnose debug application ike -1

diagnose debug application samld -1

diagnose debug application eap_proxy -1

diagnose debug enable

For 7.4.0 and above, there is a slight change in the command as shown below:

diagnose vpn ike log filter rem-addr4 x.x.x.x 

diagnose debug console timestamp enable

diagnose debug application  authd 60

diagnose debug application ike -1

diagnose debug application samld -1

diagnose debug application eap_proxy -1

diagnose debug enable

To stop debugging:

diagnose debug disable

diagnose debug reset

The SAML log will be generated before ike, and group, username, URL and etc. attributes will be shown at the end of the SAML debug log, The Ike debug log begins as shown in the example below:

.

.

samld_send_common_reply [99]: Attr: 17, 31, magic=00070284969a10d4
samld_send_common_reply [99]: Attr: 18, 29, 2024-09-26T06:53:40Z

samld_send_common_reply [95]: Attr: 10, 23, 'Username' 'XXX'
samld_send_common_reply [95]: Attr: 10, 26, 'group' 'XXX_XXX'
samld_send_common_reply [99]: Attr: 11, 1061, https://XXXXXXXXX
samld_send_common_reply [119]: Sent resp: 14955, pid=2012, job_id=563485. <--- End of SAML debug
2024-09-26 13:38:27.641204 ike V=root:0: comes 1.1.1.1:500->2.2.2.2:500,ifindex=4,vrf=0,len=472....   <--- Begin of IKE debug
2024-09-26 13:38:27.643082 ike V=root:0: IKEv2 exchange=SA_INIT id=dd79473c6ec84591/0000000000000000 len=472

In case the IKE debug log is not showing right after the SAML debug log:

samld_send_common_reply [99]: Attr: 17, 31, magic=00070284969a10d4
samld_send_common_reply [99]: Attr: 18, 29, 2024-09-26T06:53:40Z

samld_send_common_reply [95]: Attr: 10, 23, 'Username' 'XXX'
samld_send_common_reply [95]: Attr: 10, 26, 'group' 'XXX_XXX'
samld_send_common_reply [99]: Attr: 11, 1061, https://XXXXXXXXX
samld_send_common_reply [119]: Sent resp: 14955, pid=2012, job_id=563485. <----- End of SAML debug and no further log after this line.

Run a packet capture on the outgoing interface and confirm that it is possible to see traffic from the remote peer. If not, make sure that IKE traffic on port 500/4500 is allowed in the network device connected upstream.

Packet capture can be run from the CLI or the GUI:

GUI:

CLI:

diagnose sniffer packet any 'host <remote-peer-ip> and port (500 or 4500)' 4 0 l,

'Control+c' to stop.

If no traffic is visible on port 500/4500, then check with the upstream device if any of the ISPs on the remote side, as well as the Local ISP.

The log collected from FortiClient -> Settings -> Logging -> Export logs is not showing any IKE-related information, and FortiClient IPsec VPN is stuck on 'Connecting to VPN' status without any error or message as shown below:

If the user is using the free version of FortiClient, it is possible to upgrade the FortiClient version from v7.2 to v7.4 to fix the issue.

Dialup IPsec VPN with SAML using an external browser for authentication is supported starting from FortiOS v7.6.1 as well as FortiClient (Windows & macOS) v7.2.5/v7.4.1 and (Linux) v7.4.3. (Related document: SAML-based authentication for FortiClient remote access dialup IPsec VPN clients )

Uncheck (or disable) 'Use external browser as user-agent for SAML user authentication' to resolve this issue.