Forticlient IPSEC w/ SAML stuck in connecting

k4tamai · ‎09-09-2024

Hi Guys.

I have starved my own knowledge and googlefu so i hope someone in here can help me.

We are transitioning from SSLVPN to IPSEC VPN and want to keep using our SAML setup.

When trying to connect to the IPSEC VPN tunnel i get prompted with my SAML prompt, enter my credentials, log in and the client then hangs in "Connecting".

In my debug i see the SAML request being processed and completes as it should but i see no IKE debug prompts.
Nothing appears in my VPN log either.
The only thing i can see is in my Forticlient, where i get an error regarding power which i reckon is not related to this.

When connecting to the SSLVPN (same public IP, different ports ofc.) i go straight through and connect with no issues.

Does anyone have any idea why i am stuck in "Connected" when my SAML request is processed?

Kind Regards

EDIT:
We have tested with Forticlient versions 7.2.4, 7.2.5 and 7.4.0 and with different vendors of net adapters and from different locations.

k4tamai · ‎10-15-2024

Hi Qim!

Thank you for reminding me of this post.

I meant to return with an update, but forgot it.

Yes! We did solve the issue!

So, in my case, i saw that samld processed the request correctly but an error in fnbamd with no data on ike debug.

What we found out was, on the Azure enterprise application, all the groups that the user belongs to were pushed after successful authentication. The samld was able to retrieve them but the eap_proxy was unable to handle this large amount of groups - This was diagnosed by running the command "diagnose debug application eap_proxy"

We resolved the issue by going to the enterprise application and changing the settings on the group claim from (Which groups associated with the user should be returned in the claim?) from "Security Groups" to "Groups assigned to the application".

Hope this helps you with changing to IPSEC with SAML authentication and thank you for reminding me of this support ticket.

Kind Regards.

Commands used to diagnose issue:

diagnose debug application samld -1 - Used to diagnose the processing of the SAML claim to confirm that SAMLD processes the request properly and receives the desired groups from claims.

diagnose debug application fnbamd -1 - This was used to diagnose the authentication process where we found out that the fortigate auth daemon processed the authentication request but reported an error that there was no group match despite saml reporting a group match.

diagnose debug application eap_proxy -1 - Was used to diagnose the IKEv2 / RADIUS data procesed by fortigate(someone correct me if i am way off). This command showed that the group buffer was full, indicating that the amount of groups parsed from saml to eap_proxy / fnbamd was incomplete, which led us to change the group claim on the enterprise application to only parse groups assigned application instead of all groups the user is a member of.

View solution in original post

tpatel · ‎09-09-2024

Hello Sir, Can you please run IKE debug with remote gateway address as public ip address of client machine.

diag vpn ike log-filter rem-addr4 x.x.x.x instead of x.x.x.x please write public IP.

diag debug app ike -1
diag debug enable ---> to enable debug

diag debug enable -> disable debug.

Can you please provide us log.

k4tamai · ‎09-10-2024

Hi Patel.

Thank you for your response.

As mentioned in my post we do not receive any output from IKE debug.
I do however see the traffic coming with a diag sniffer.

In this case X.X.X.X is our firewall and Y.Y.Y.Y is my external host.

We pass the SAML Authentication and the connection the client is then stuck in "Connecting" after the 3 IKE packets.
See sniffer output below.

Kind Regards.

HHHH-FW01 (CSMG) # diagnose sniffer packet any "host y.y.y.y" -4

interfaces=[any]

filters=[host y.y.y.y]

0.912516 y.y.y.y.40114 -> x.x.x.x.10428: syn 2427900181

0.912537 x.x.x.x.10428 -> y.y.y.y.40114: syn 2141296080 ack 2427900182

0.912538 x.x.x.x.10428 -> y.y.y.y.40114: syn 2141296080 ack 2427900182

0.912539 x.x.x.x.10428 -> y.y.y.y.40114: syn 2141296080 ack 2427900182

0.942202 y.y.y.y.40114 -> x.x.x.x.10428: ack 2141296081

0.947202 y.y.y.y.40114 -> x.x.x.x.10428: psh 2427900182 ack 2141296081

0.947210 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900352

0.947211 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900352

0.947651 x.x.x.x.10428 -> y.y.y.y.40114: 2141296081 ack 2427900352

0.947653 x.x.x.x.10428 -> y.y.y.y.40114: 2141296081 ack 2427900352

0.947654 x.x.x.x.10428 -> y.y.y.y.40114: 2141296081 ack 2427900352

0.947661 x.x.x.x.10428 -> y.y.y.y.40114: 2141297481 ack 2427900352

0.947662 x.x.x.x.10428 -> y.y.y.y.40114: 2141297481 ack 2427900352

0.947663 x.x.x.x.10428 -> y.y.y.y.40114: 2141297481 ack 2427900352

0.947666 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141298881 ack 2427900352

0.947667 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141298881 ack 2427900352

0.948443 x.x.x.x.10428 -> y.y.y.y.40114: 2141300177 ack 2427900352

0.948444 x.x.x.x.10428 -> y.y.y.y.40114: 2141300177 ack 2427900352

0.948445 x.x.x.x.10428 -> y.y.y.y.40114: 2141300177 ack 2427900352

0.977190 y.y.y.y.40114 -> x.x.x.x.10428: ack 2141300177

0.977198 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141301577 ack 2427900352

0.977199 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141301577 ack 2427900352

0.977200 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141301577 ack 2427900352

0.977203 y.y.y.y.40114 -> x.x.x.x.10428: ack 2141301577

1.012154 y.y.y.y.40114 -> x.x.x.x.10428: psh 2427900352 ack 2141302416

1.012529 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302416 ack 2427900478

1.012531 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302416 ack 2427900478

1.012532 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302416 ack 2427900478

1.082191 y.y.y.y.40114 -> x.x.x.x.10428: psh 2427900478 ack 2141302658

1.134304 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900680

1.134305 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900680

1.134306 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900680

1.442116 y.y.y.y.40114 -> x.x.x.x.10428: psh 2427900680 ack 2141302658

1.442123 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900745

1.442124 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900745

1.442125 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900745

1.442162 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302658 ack 2427900745

1.442164 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302658 ack 2427900745

1.442165 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302658 ack 2427900745

1.442208 x.x.x.x.10428 -> y.y.y.y.40114: psh fin 2141302959 ack 2427900745

1.442209 x.x.x.x.10428 -> y.y.y.y.40114: psh fin 2141302959 ack 2427900745

1.472181 y.y.y.y.40114 -> x.x.x.x.10428: fin 2427900745 ack 2141302959

1.472188 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900746

1.472189 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900746

1.472192 y.y.y.y.40114 -> x.x.x.x.10428: rst 2427900746 ack 2141302990

1.601961 y.y.y.y.59873 -> x.x.x.x.10428: syn 1480667310

1.601985 x.x.x.x.10428 -> y.y.y.y.59873: syn 1101761543 ack 1480667311

1.601986 x.x.x.x.10428 -> y.y.y.y.59873: syn 1101761543 ack 1480667311

1.601987 x.x.x.x.10428 -> y.y.y.y.59873: syn 1101761543 ack 1480667311

1.627141 y.y.y.y.59873 -> x.x.x.x.10428: ack 1101761544

1.635159 y.y.y.y.59873 -> x.x.x.x.10428: psh 1480667311 ack 1101761544

1.635166 x.x.x.x.10428 -> y.y.y.y.59873: ack 1480667581

1.635167 x.x.x.x.10428 -> y.y.y.y.59873: ack 1480667581

1.635265 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101761544 ack 1480667581

1.635267 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101761544 ack 1480667581

1.635268 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101761544 ack 1480667581

1.657158 y.y.y.y.59873 -> x.x.x.x.10428: ack 1101761643

1.667085 y.y.y.y.59873 -> x.x.x.x.10428: psh 1480667581 ack 1101761643

1.667870 x.x.x.x.10428 -> y.y.y.y.59873: 1101761643 ack 1480667890

1.667872 x.x.x.x.10428 -> y.y.y.y.59873: 1101761643 ack 1480667890

1.667873 x.x.x.x.10428 -> y.y.y.y.59873: 1101761643 ack 1480667890

1.667880 x.x.x.x.10428 -> y.y.y.y.59873: 1101763043 ack 1480667890

1.667881 x.x.x.x.10428 -> y.y.y.y.59873: 1101763043 ack 1480667890

1.667885 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101764443 ack 1480667890

1.667886 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101764443 ack 1480667890

1.668569 x.x.x.x.10428 -> y.y.y.y.59873: 1101765739 ack 1480667890

1.668570 x.x.x.x.10428 -> y.y.y.y.59873: 1101765739 ack 1480667890

1.668571 x.x.x.x.10428 -> y.y.y.y.59873: 1101765739 ack 1480667890

1.702084 y.y.y.y.59873 -> x.x.x.x.10428: ack 1101767139

1.702094 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101767139 ack 1480667890

1.702095 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101767139 ack 1480667890

1.702096 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101767139 ack 1480667890

1.727040 y.y.y.y.59873 -> x.x.x.x.10428: ack 1101768133

1.727045 y.y.y.y.59873 -> x.x.x.x.10428: psh 1480667890 ack 1101768133

1.727168 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101768133 ack 1480667964

1.727170 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101768133 ack 1480667964

1.727171 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101768133 ack 1480667964

1.737149 y.y.y.y.59873 -> x.x.x.x.10428: fin 1480667964 ack 1101768133

1.737197 x.x.x.x.10428 -> y.y.y.y.59873: psh fin 1101768404 ack 1480667965

1.737198 x.x.x.x.10428 -> y.y.y.y.59873: psh fin 1101768404 ack 1480667965

1.737199 x.x.x.x.10428 -> y.y.y.y.59873: psh fin 1101768404 ack 1480667965

1.762136 y.y.y.y.59873 -> x.x.x.x.10428: rst 1480667965 ack 1101768404

1.764663 y.y.y.y.46451 -> x.x.x.x.10428: syn 628336186

1.764685 x.x.x.x.10428 -> y.y.y.y.46451: syn 1824811541 ack 628336187

1.764686 x.x.x.x.10428 -> y.y.y.y.46451: syn 1824811541 ack 628336187

1.764687 x.x.x.x.10428 -> y.y.y.y.46451: syn 1824811541 ack 628336187

1.787183 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824811542

1.792116 y.y.y.y.46451 -> x.x.x.x.10428: psh 628336187 ack 1824811542

1.792123 x.x.x.x.10428 -> y.y.y.y.46451: ack 628336457

1.792124 x.x.x.x.10428 -> y.y.y.y.46451: ack 628336457

1.792125 x.x.x.x.10428 -> y.y.y.y.46451: ack 628336457

1.792194 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824811542 ack 628336457

1.792195 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824811542 ack 628336457

1.792196 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824811542 ack 628336457

1.817206 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824811641

1.830176 y.y.y.y.46451 -> x.x.x.x.10428: psh 628336457 ack 1824811641

1.830939 x.x.x.x.10428 -> y.y.y.y.46451: 1824811641 ack 628336766

1.830941 x.x.x.x.10428 -> y.y.y.y.46451: 1824811641 ack 628336766

1.830943 x.x.x.x.10428 -> y.y.y.y.46451: 1824811641 ack 628336766

1.830948 x.x.x.x.10428 -> y.y.y.y.46451: 1824813041 ack 628336766

1.830949 x.x.x.x.10428 -> y.y.y.y.46451: 1824813041 ack 628336766

1.830950 x.x.x.x.10428 -> y.y.y.y.46451: 1824813041 ack 628336766

1.830954 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824814441 ack 628336766

1.830955 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824814441 ack 628336766

1.831635 x.x.x.x.10428 -> y.y.y.y.46451: 1824815737 ack 628336766

1.831636 x.x.x.x.10428 -> y.y.y.y.46451: 1824815737 ack 628336766

1.831637 x.x.x.x.10428 -> y.y.y.y.46451: 1824815737 ack 628336766

1.857144 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824814441

1.857151 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824815737

1.857156 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824817137 ack 628336766

1.857157 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824817137 ack 628336766

1.857158 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824817137 ack 628336766

1.857161 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824817137

1.887137 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824818131

1.892137 y.y.y.y.46451 -> x.x.x.x.10428: psh 628336766 ack 1824818131

1.892249 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824818131 ack 628336840

1.892251 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824818131 ack 628336840

1.892252 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824818131 ack 628336840

1.902142 y.y.y.y.46451 -> x.x.x.x.10428: fin 628336840 ack 1824818131

1.902185 x.x.x.x.10428 -> y.y.y.y.46451: psh fin 1824818402 ack 628336841

1.902186 x.x.x.x.10428 -> y.y.y.y.46451: psh fin 1824818402 ack 628336841

1.902187 x.x.x.x.10428 -> y.y.y.y.46451: psh fin 1824818402 ack 628336841

1.917168 y.y.y.y.46451 -> x.x.x.x.10428: rst 628336841 ack 1824818402

1.917468 y.y.y.y.51426 -> x.x.x.x.10428: syn 187597919

1.917488 x.x.x.x.10428 -> y.y.y.y.51426: syn 3622733772 ack 187597920

1.917489 x.x.x.x.10428 -> y.y.y.y.51426: syn 3622733772 ack 187597920

1.917490 x.x.x.x.10428 -> y.y.y.y.51426: syn 3622733772 ack 187597920

1.947144 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622733773

1.952195 y.y.y.y.51426 -> x.x.x.x.10428: psh 187597920 ack 3622733773

1.952202 x.x.x.x.10428 -> y.y.y.y.51426: ack 187598190

1.952203 x.x.x.x.10428 -> y.y.y.y.51426: ack 187598190

1.952266 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622733773 ack 187598190

1.952267 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622733773 ack 187598190

1.952268 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622733773 ack 187598190

1.977013 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622733872

1.985113 y.y.y.y.51426 -> x.x.x.x.10428: psh 187598190 ack 3622733872

1.985852 x.x.x.x.10428 -> y.y.y.y.51426: 3622733872 ack 187598499

1.985854 x.x.x.x.10428 -> y.y.y.y.51426: 3622733872 ack 187598499

1.985856 x.x.x.x.10428 -> y.y.y.y.51426: 3622733872 ack 187598499

1.985862 x.x.x.x.10428 -> y.y.y.y.51426: 3622735272 ack 187598499

1.985863 x.x.x.x.10428 -> y.y.y.y.51426: 3622735272 ack 187598499

1.985867 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622736672 ack 187598499

1.985868 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622736672 ack 187598499

1.986552 x.x.x.x.10428 -> y.y.y.y.51426: 3622737968 ack 187598499

1.986553 x.x.x.x.10428 -> y.y.y.y.51426: 3622737968 ack 187598499

1.986554 x.x.x.x.10428 -> y.y.y.y.51426: 3622737968 ack 187598499

2.012039 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622736672

2.012153 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622739368

2.012159 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622739368 ack 187598499

2.012160 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622739368 ack 187598499

2.012161 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622739368 ack 187598499

2.037159 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622740362

2.037164 y.y.y.y.51426 -> x.x.x.x.10428: psh 187598499 ack 3622740362

2.037269 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622740362 ack 187598573

2.037271 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622740362 ack 187598573

2.037272 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622740362 ack 187598573

2.052153 y.y.y.y.51426 -> x.x.x.x.10428: psh 187598573 ack 3622740362

2.058147 x.x.x.x.10428 -> y.y.y.y.51426: 3622740633 ack 187598968

2.058148 x.x.x.x.10428 -> y.y.y.y.51426: 3622740633 ack 187598968

2.058149 x.x.x.x.10428 -> y.y.y.y.51426: 3622740633 ack 187598968

2.058189 x.x.x.x.10428 -> y.y.y.y.51426: psh fin 3622742033 ack 187598968

2.058190 x.x.x.x.10428 -> y.y.y.y.51426: psh fin 3622742033 ack 187598968

2.067009 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622740633

2.077091 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622742033

2.090139 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622742316

2.090193 y.y.y.y.51426 -> x.x.x.x.10428: fin 187598968 ack 3622742316

2.090198 x.x.x.x.10428 -> y.y.y.y.51426: ack 187598969

2.090199 x.x.x.x.10428 -> y.y.y.y.51426: ack 187598969

2.090200 x.x.x.x.10428 -> y.y.y.y.51426: ack 187598969

2.090202 y.y.y.y.51426 -> x.x.x.x.10428: rst 187598969 ack 3622742316

32.147357 y.y.y.y.41549 -> x.x.x.x.10428: syn 262275538

32.147381 x.x.x.x.10428 -> y.y.y.y.41549: syn 1399091968 ack 262275539

32.147382 x.x.x.x.10428 -> y.y.y.y.41549: syn 1399091968 ack 262275539

32.147383 x.x.x.x.10428 -> y.y.y.y.41549: syn 1399091968 ack 262275539

32.170816 y.y.y.y.41549 -> x.x.x.x.10428: ack 1399091969

32.178789 y.y.y.y.41549 -> x.x.x.x.10428: psh 262275539 ack 1399091969

32.178796 x.x.x.x.10428 -> y.y.y.y.41549: ack 262276096

32.178797 x.x.x.x.10428 -> y.y.y.y.41549: ack 262276096

32.178798 x.x.x.x.10428 -> y.y.y.y.41549: ack 262276096

32.178969 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399091969 ack 262276096

32.178970 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399091969 ack 262276096

32.178972 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399091969 ack 262276096

32.200806 y.y.y.y.41549 -> x.x.x.x.10428: ack 1399092068

32.208854 y.y.y.y.41549 -> x.x.x.x.10428: psh 262276096 ack 1399092068

32.209357 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092068 ack 262276692

32.209359 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092068 ack 262276692

32.209360 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092068 ack 262276692

32.230753 y.y.y.y.41549 -> x.x.x.x.10428: ack 1399092340

32.230758 y.y.y.y.41549 -> x.x.x.x.10428: psh 262276692 ack 1399092340

32.230878 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092340 ack 262276766

32.230880 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092340 ack 262276766

32.230881 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092340 ack 262276766

32.243981 y.y.y.y.41549 -> x.x.x.x.10428: psh 262276766 ack 1399092340

32.243986 y.y.y.y.41549 -> x.x.x.x.10428: 262277304 ack 1399092340

32.243990 x.x.x.x.10428 -> y.y.y.y.41549: ack 262278704

32.243991 x.x.x.x.10428 -> y.y.y.y.41549: ack 262278704

32.243994 y.y.y.y.41549 -> x.x.x.x.10428: 262278704 ack 1399092340

32.243998 y.y.y.y.41549 -> x.x.x.x.10428: 262280104 ack 1399092340

32.244000 x.x.x.x.10428 -> y.y.y.y.41549: ack 262281504

32.244001 x.x.x.x.10428 -> y.y.y.y.41549: ack 262281504

32.244003 y.y.y.y.41549 -> x.x.x.x.10428: 262281504 ack 1399092340

32.244883 y.y.y.y.41549 -> x.x.x.x.10428: 262282904 ack 1399092340

32.244886 x.x.x.x.10428 -> y.y.y.y.41549: ack 262284304

32.244887 x.x.x.x.10428 -> y.y.y.y.41549: ack 262284304

32.245028 y.y.y.y.41549 -> x.x.x.x.10428: 262284304 ack 1399092340

32.245033 y.y.y.y.41549 -> x.x.x.x.10428: 262285704 ack 1399092340

32.245036 x.x.x.x.10428 -> y.y.y.y.41549: ack 262287104

32.245037 x.x.x.x.10428 -> y.y.y.y.41549: ack 262287104

32.245038 x.x.x.x.10428 -> y.y.y.y.41549: ack 262287104

32.245042 y.y.y.y.41549 -> x.x.x.x.10428: 262287104 ack 1399092340

32.245046 y.y.y.y.41549 -> x.x.x.x.10428: 262288504 ack 1399092340

32.245051 x.x.x.x.10428 -> y.y.y.y.41549: ack 262289904

32.245053 x.x.x.x.10428 -> y.y.y.y.41549: ack 262289904

32.245054 x.x.x.x.10428 -> y.y.y.y.41549: ack 262289904

32.245793 y.y.y.y.41549 -> x.x.x.x.10428: psh 262289904 ack 1399092340

32.255769 y.y.y.y.41549 -> x.x.x.x.10428: ack 1399092611

32.257230 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092611 ack 262291089

32.257231 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092611 ack 262291089

32.257232 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092611 ack 262291089

32.257268 x.x.x.x.10428 -> y.y.y.y.41549: psh fin 1399093148 ack 262291089

32.257269 x.x.x.x.10428 -> y.y.y.y.41549: psh fin 1399093148 ack 262291089

32.257270 x.x.x.x.10428 -> y.y.y.y.41549: psh fin 1399093148 ack 262291089

32.283852 y.y.y.y.41549 -> x.x.x.x.10428: ack 1399093173

32.283905 y.y.y.y.41549 -> x.x.x.x.10428: fin 262291089 ack 1399093173

32.283910 x.x.x.x.10428 -> y.y.y.y.41549: ack 262291090

32.283911 x.x.x.x.10428 -> y.y.y.y.41549: ack 262291090

32.283912 x.x.x.x.10428 -> y.y.y.y.41549: ack 262291090

32.283914 y.y.y.y.41549 -> x.x.x.x.10428: rst 262291090 ack 1399093173

37.563220 y.y.y.y.60270 -> x.x.x.x.500: udp 508

40.740496 y.y.y.y.60270 -> x.x.x.x.500: udp 508

43.810382 y.y.y.y.60270 -> x.x.x.x.500: udp 508

46.848172 y.y.y.y.60270 -> x.x.x.x.500: udp 508

k4tamai · ‎09-10-2024

Hi Patel.

A bit more sniffer output, alongside with what i see in the IKE debug.

//Sniffer

860.770524 y.y.y.y.40561 -> x.x.x.x.500: udp 456

860.770893 x.x.x.x.500 -> y.y.y.y.40561: udp 352

860.770895 x.x.x.x.500 -> y.y.y.y.40561: udp 352

860.770896 x.x.x.x.500 -> y.y.y.y.40561: udp 352

860.831814 y.y.y.y.42195 -> x.x.x.x.4500: udp 640

860.831944 x.x.x.x.4500 -> y.y.y.y.42195: udp 128

860.831945 x.x.x.x.4500 -> y.y.y.y.42195: udp 128

860.831947 x.x.x.x.4500 -> y.y.y.y.42195: udp 128

860.857649 y.y.y.y.42195 -> x.x.x.x.4500: udp 112

860.858177 x.x.x.x.4500 -> y.y.y.y.42195: udp 112

860.858178 x.x.x.x.4500 -> y.y.y.y.42195: udp 112

860.858180 x.x.x.x.4500 -> y.y.y.y.42195: udp 112

860.892641 y.y.y.y.42195 -> x.x.x.x.4500: udp 160

864.005613 y.y.y.y.42195 -> x.x.x.x.4500: udp 160

865.888751 x.x.x.x.4500 -> y.y.y.y.42195: udp 128

865.888752 x.x.x.x.4500 -> y.y.y.y.42195: udp 128

865.888754 x.x.x.x.4500 -> y.y.y.y.42195: udp 128

866.209536 y.y.y.y.42195 -> x.x.x.x.4500: udp 80

866.209970 x.x.x.x.4500 -> y.y.y.y.42195: udp 80

866.209972 x.x.x.x.4500 -> y.y.y.y.42195: udp 80

866.209974 x.x.x.x.4500 -> y.y.y.y.42195: udp 80

866.239476 y.y.y.y.42195 -> x.x.x.x.4500: udp 96

869.389327 y.y.y.y.42195 -> x.x.x.x.4500: udp 96

872.387295 y.y.y.y.42195 -> x.x.x.x.4500: udp 96

875.399058 y.y.y.y.42195 -> x.x.x.x.4500: udp 96

878.388944 y.y.y.y.42195 -> x.x.x.x.4500: udp 96

881.408777 y.y.y.y.42195 -> x.x.x.x.4500: udp 96

//IKE

HHHH-FW01 (CSMG) # diagnose vpn ike log-filter src-addr4 y.y.y.y

HHHH-FW01 (CSMG) # diagnose debug application ike -1
Debug messages will be on for 9 minutes.

HHHH-FW01 (CSMG) # diagnose debug enable

HHHH-FW01 (CSMG) # ike change cfg 1 interface 0 router 0 certs 0
ike config update start
ike ike_embryonic_conn_limit = 20000
ike ikecrypt DH multi-process disabled
ike config update done
ike 1: cache rebuild done
ike 2: cache rebuild done
ike 4: cache rebuild done
ike 5: cache rebuild done
ike 6: cache rebuild done
ike 7: cache rebuild done
ike 8: cache rebuild done
ike 9: cache rebuild done
ike 10: cache rebuild done
ike 12: cache rebuild done
ike 14: cache rebuild done
ike 15: cache rebuild done
ike 17: cache rebuild done
ike 35: cache rebuild done
ike 18: cache rebuild done
ike 20: cache rebuild done
ike 21: cache rebuild done
ike 23: cache rebuild done
ike 24: cache rebuild done
ike 25: cache rebuild done
ike 27: cache rebuild done
ike 28: cache rebuild done
ike 29: cache rebuild done
ike 30: cache rebuild done
ike 31: cache rebuild done
ike 33: cache rebuild done
ike 19: cache rebuild done

FortiArt · ‎09-09-2024

Are you using Window 10 or Windows 11. Please check this article:

https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-Support-for-ARM-Architecture...

Things you need to confirm:

1- Confirm the config sys global > set remoteauthtimeout has high value

2-Force NAT-T on the dialup ipsec vpn and re-test the issue

3-Disable any security software and Windows defender

4-Try other PC with different OS and re-test

As above the debug output will help in finding the root cause.

Hope this help

k4tamai · ‎09-10-2024

Hi Art.
Thank you for your response.

NAT-T is forced and remote auth is set to max for this test scenario.

A clean PC with no Defender has been used to test as well as an Ubuntu and Mac client.

As mentioned in Patels post, we do not receive any IKE debug output despite our client exchanging packets during the SAML authentication and 3 IKE packets being sent.

Kind Regards.

rahulkaushik-22 · ‎09-09-2024

Hi @k4tamai

Do you have multiple dialup IPsec tunnels on the firewall if yes then use peerid to specify the relevant tunnel with the help of aggressive mode?

Refer to the article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia... for more details.

Regards,
Rahul Kaushik

MR RAHUL K KAUSHIK

k4tamai · ‎09-10-2024

Hi Rahul.

Thank you for your response.

This is the only dialup IPsec in this VDOM.

We have tried using IKEv1 with agressive mode as well as IKEv2 to no avail.

Kind Regards.

Debbie_FTNT · ‎09-10-2024

Hey k4tamai,

you could try disabling IPSec offloading, if you have a hardware model:
https://docs.fortinet.com/document/fortigate/7.4.4/hardware-acceleration/636026
That might be why you're not seeing any IKE debug?

Aside from that, double-check that you have the correct IPSec configuration to ensure that the FortiClient reaches FortiGate; usually if there is no IKE debug at all, I would assume some kind of connectivity issue, like IKE being blocked on an ISP level (though you did mention you observed some IKE packets, correct?)

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

k4tamai · ‎09-10-2024

Hi Debbie.

Thank you for your response.

I have tried disabling NPU offloading with the same result as earlier.

As you can see from my log the Firewall and the client exchanges IKE packets (x.x.x.x being firewall and y.y.y.y being client) - IKE debug output remains empty.

Kind Regards.

Forticlient IPSEC w/ SAML stuck in connecting

Nominate a Forum Post for Knowledge Article Creation