Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
k4tamai
New Contributor II

Created on ‎09-09-2024 09:11 AM Edited on ‎09-09-2024 09:16 AM

Forticlient IPSEC w/ SAML stuck in connecting

Hi Guys.

 

I have starved my own knowledge and googlefu so i hope someone in here can help me.

We are transitioning from SSLVPN to IPSEC VPN and want to keep using our SAML setup.

 

When trying to connect to the IPSEC VPN tunnel i get prompted with my SAML prompt, enter my credentials, log in and the client then hangs in "Connecting".

In my debug i see the SAML request being processed and completes as it should but i see no IKE debug prompts.
Nothing appears in my VPN log either. 
The only thing i can see is in my Forticlient, where i get an error regarding power which i reckon is not related to this.

 

When connecting to the SSLVPN (same public IP, different ports ofc.) i go straight through and connect with no issues.

 

Does anyone have any idea why i am stuck in "Connected" when my SAML request is processed?

Kind Regards

EDIT:
We have tested with Forticlient versions 7.2.4, 7.2.5 and 7.4.0 and with different vendors of net adapters and from different locations.

Labels:
703
0 Kudos
10 REPLIES 10
tpatel
Staff
Staff

Created on ‎09-09-2024 01:36 PM

Hello Sir, Can you please run IKE debug  with remote gateway address as public ip address of client machine. 

diag vpn ike log-filter rem-addr4 x.x.x.x    instead of x.x.x.x please write public IP.

diag debug app ike -1
diag debug enable    ---> to enable debug 

 

diag debug enable   -> disable debug.

 

Can you please provide us log.

538
k4tamai
New Contributor II
In response to tpatel

Created on ‎09-10-2024 01:03 AM Edited on ‎09-10-2024 01:06 AM

Hi Patel.

 

Thank you for your response.

As mentioned in my post we do not receive any output from IKE debug. 
I do however see the traffic coming with a diag sniffer.

In this case X.X.X.X is our firewall and Y.Y.Y.Y is my external host.

We pass the SAML Authentication and the connection the client is then stuck in "Connecting" after the 3 IKE packets. 
See sniffer output below.

 

Kind Regards.

 

HHHH-FW01 (CSMG) # diagnose sniffer packet any "host y.y.y.y" -4
interfaces=[any]
filters=[host y.y.y.y]
0.912516 y.y.y.y.40114 -> x.x.x.x.10428: syn 2427900181
0.912537 x.x.x.x.10428 -> y.y.y.y.40114: syn 2141296080 ack 2427900182
0.912538 x.x.x.x.10428 -> y.y.y.y.40114: syn 2141296080 ack 2427900182
0.912539 x.x.x.x.10428 -> y.y.y.y.40114: syn 2141296080 ack 2427900182
0.942202 y.y.y.y.40114 -> x.x.x.x.10428: ack 2141296081
0.947202 y.y.y.y.40114 -> x.x.x.x.10428: psh 2427900182 ack 2141296081
0.947210 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900352
0.947211 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900352
0.947211 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900352
0.947651 x.x.x.x.10428 -> y.y.y.y.40114: 2141296081 ack 2427900352
0.947653 x.x.x.x.10428 -> y.y.y.y.40114: 2141296081 ack 2427900352
0.947654 x.x.x.x.10428 -> y.y.y.y.40114: 2141296081 ack 2427900352
0.947661 x.x.x.x.10428 -> y.y.y.y.40114: 2141297481 ack 2427900352
0.947662 x.x.x.x.10428 -> y.y.y.y.40114: 2141297481 ack 2427900352
0.947663 x.x.x.x.10428 -> y.y.y.y.40114: 2141297481 ack 2427900352
0.947666 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141298881 ack 2427900352
0.947667 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141298881 ack 2427900352
0.947667 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141298881 ack 2427900352
0.948443 x.x.x.x.10428 -> y.y.y.y.40114: 2141300177 ack 2427900352
0.948444 x.x.x.x.10428 -> y.y.y.y.40114: 2141300177 ack 2427900352
0.948445 x.x.x.x.10428 -> y.y.y.y.40114: 2141300177 ack 2427900352
0.977190 y.y.y.y.40114 -> x.x.x.x.10428: ack 2141300177
0.977198 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141301577 ack 2427900352
0.977199 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141301577 ack 2427900352
0.977200 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141301577 ack 2427900352
0.977203 y.y.y.y.40114 -> x.x.x.x.10428: ack 2141301577
1.012154 y.y.y.y.40114 -> x.x.x.x.10428: psh 2427900352 ack 2141302416
1.012529 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302416 ack 2427900478
1.012531 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302416 ack 2427900478
1.012532 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302416 ack 2427900478
1.082191 y.y.y.y.40114 -> x.x.x.x.10428: psh 2427900478 ack 2141302658
1.134304 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900680
1.134305 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900680
1.134306 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900680
1.442116 y.y.y.y.40114 -> x.x.x.x.10428: psh 2427900680 ack 2141302658
1.442123 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900745
1.442124 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900745
1.442125 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900745
1.442162 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302658 ack 2427900745
1.442164 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302658 ack 2427900745
1.442165 x.x.x.x.10428 -> y.y.y.y.40114: psh 2141302658 ack 2427900745
1.442208 x.x.x.x.10428 -> y.y.y.y.40114: psh fin 2141302959 ack 2427900745
1.442208 x.x.x.x.10428 -> y.y.y.y.40114: psh fin 2141302959 ack 2427900745
1.442209 x.x.x.x.10428 -> y.y.y.y.40114: psh fin 2141302959 ack 2427900745
1.472181 y.y.y.y.40114 -> x.x.x.x.10428: fin 2427900745 ack 2141302959
1.472188 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900746
1.472188 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900746
1.472189 x.x.x.x.10428 -> y.y.y.y.40114: ack 2427900746
1.472192 y.y.y.y.40114 -> x.x.x.x.10428: rst 2427900746 ack 2141302990
1.601961 y.y.y.y.59873 -> x.x.x.x.10428: syn 1480667310
1.601985 x.x.x.x.10428 -> y.y.y.y.59873: syn 1101761543 ack 1480667311
1.601986 x.x.x.x.10428 -> y.y.y.y.59873: syn 1101761543 ack 1480667311
1.601987 x.x.x.x.10428 -> y.y.y.y.59873: syn 1101761543 ack 1480667311
1.627141 y.y.y.y.59873 -> x.x.x.x.10428: ack 1101761544
1.635159 y.y.y.y.59873 -> x.x.x.x.10428: psh 1480667311 ack 1101761544
1.635166 x.x.x.x.10428 -> y.y.y.y.59873: ack 1480667581
1.635166 x.x.x.x.10428 -> y.y.y.y.59873: ack 1480667581
1.635167 x.x.x.x.10428 -> y.y.y.y.59873: ack 1480667581
1.635265 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101761544 ack 1480667581
1.635267 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101761544 ack 1480667581
1.635268 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101761544 ack 1480667581
1.657158 y.y.y.y.59873 -> x.x.x.x.10428: ack 1101761643
1.667085 y.y.y.y.59873 -> x.x.x.x.10428: psh 1480667581 ack 1101761643
1.667870 x.x.x.x.10428 -> y.y.y.y.59873: 1101761643 ack 1480667890
1.667872 x.x.x.x.10428 -> y.y.y.y.59873: 1101761643 ack 1480667890
1.667873 x.x.x.x.10428 -> y.y.y.y.59873: 1101761643 ack 1480667890
1.667880 x.x.x.x.10428 -> y.y.y.y.59873: 1101763043 ack 1480667890
1.667881 x.x.x.x.10428 -> y.y.y.y.59873: 1101763043 ack 1480667890
1.667881 x.x.x.x.10428 -> y.y.y.y.59873: 1101763043 ack 1480667890
1.667885 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101764443 ack 1480667890
1.667886 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101764443 ack 1480667890
1.667886 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101764443 ack 1480667890
1.668569 x.x.x.x.10428 -> y.y.y.y.59873: 1101765739 ack 1480667890
1.668570 x.x.x.x.10428 -> y.y.y.y.59873: 1101765739 ack 1480667890
1.668571 x.x.x.x.10428 -> y.y.y.y.59873: 1101765739 ack 1480667890
1.702084 y.y.y.y.59873 -> x.x.x.x.10428: ack 1101767139
1.702094 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101767139 ack 1480667890
1.702095 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101767139 ack 1480667890
1.702096 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101767139 ack 1480667890
1.727040 y.y.y.y.59873 -> x.x.x.x.10428: ack 1101768133
1.727045 y.y.y.y.59873 -> x.x.x.x.10428: psh 1480667890 ack 1101768133
1.727168 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101768133 ack 1480667964
1.727170 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101768133 ack 1480667964
1.727171 x.x.x.x.10428 -> y.y.y.y.59873: psh 1101768133 ack 1480667964
1.737149 y.y.y.y.59873 -> x.x.x.x.10428: fin 1480667964 ack 1101768133
1.737197 x.x.x.x.10428 -> y.y.y.y.59873: psh fin 1101768404 ack 1480667965
1.737198 x.x.x.x.10428 -> y.y.y.y.59873: psh fin 1101768404 ack 1480667965
1.737199 x.x.x.x.10428 -> y.y.y.y.59873: psh fin 1101768404 ack 1480667965
1.762136 y.y.y.y.59873 -> x.x.x.x.10428: rst 1480667965 ack 1101768404
1.764663 y.y.y.y.46451 -> x.x.x.x.10428: syn 628336186
1.764685 x.x.x.x.10428 -> y.y.y.y.46451: syn 1824811541 ack 628336187
1.764686 x.x.x.x.10428 -> y.y.y.y.46451: syn 1824811541 ack 628336187
1.764687 x.x.x.x.10428 -> y.y.y.y.46451: syn 1824811541 ack 628336187
1.787183 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824811542
1.792116 y.y.y.y.46451 -> x.x.x.x.10428: psh 628336187 ack 1824811542
1.792123 x.x.x.x.10428 -> y.y.y.y.46451: ack 628336457
1.792124 x.x.x.x.10428 -> y.y.y.y.46451: ack 628336457
1.792125 x.x.x.x.10428 -> y.y.y.y.46451: ack 628336457
1.792194 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824811542 ack 628336457
1.792195 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824811542 ack 628336457
1.792196 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824811542 ack 628336457
1.817206 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824811641
1.830176 y.y.y.y.46451 -> x.x.x.x.10428: psh 628336457 ack 1824811641
1.830939 x.x.x.x.10428 -> y.y.y.y.46451: 1824811641 ack 628336766
1.830941 x.x.x.x.10428 -> y.y.y.y.46451: 1824811641 ack 628336766
1.830943 x.x.x.x.10428 -> y.y.y.y.46451: 1824811641 ack 628336766
1.830948 x.x.x.x.10428 -> y.y.y.y.46451: 1824813041 ack 628336766
1.830949 x.x.x.x.10428 -> y.y.y.y.46451: 1824813041 ack 628336766
1.830950 x.x.x.x.10428 -> y.y.y.y.46451: 1824813041 ack 628336766
1.830954 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824814441 ack 628336766
1.830955 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824814441 ack 628336766
1.830955 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824814441 ack 628336766
1.831635 x.x.x.x.10428 -> y.y.y.y.46451: 1824815737 ack 628336766
1.831636 x.x.x.x.10428 -> y.y.y.y.46451: 1824815737 ack 628336766
1.831637 x.x.x.x.10428 -> y.y.y.y.46451: 1824815737 ack 628336766
1.857144 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824814441
1.857151 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824815737
1.857156 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824817137 ack 628336766
1.857157 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824817137 ack 628336766
1.857158 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824817137 ack 628336766
1.857161 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824817137
1.887137 y.y.y.y.46451 -> x.x.x.x.10428: ack 1824818131
1.892137 y.y.y.y.46451 -> x.x.x.x.10428: psh 628336766 ack 1824818131
1.892249 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824818131 ack 628336840
1.892251 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824818131 ack 628336840
1.892252 x.x.x.x.10428 -> y.y.y.y.46451: psh 1824818131 ack 628336840
1.902142 y.y.y.y.46451 -> x.x.x.x.10428: fin 628336840 ack 1824818131
1.902185 x.x.x.x.10428 -> y.y.y.y.46451: psh fin 1824818402 ack 628336841
1.902186 x.x.x.x.10428 -> y.y.y.y.46451: psh fin 1824818402 ack 628336841
1.902187 x.x.x.x.10428 -> y.y.y.y.46451: psh fin 1824818402 ack 628336841
1.917168 y.y.y.y.46451 -> x.x.x.x.10428: rst 628336841 ack 1824818402
1.917468 y.y.y.y.51426 -> x.x.x.x.10428: syn 187597919
1.917488 x.x.x.x.10428 -> y.y.y.y.51426: syn 3622733772 ack 187597920
1.917489 x.x.x.x.10428 -> y.y.y.y.51426: syn 3622733772 ack 187597920
1.917490 x.x.x.x.10428 -> y.y.y.y.51426: syn 3622733772 ack 187597920
1.947144 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622733773
1.952195 y.y.y.y.51426 -> x.x.x.x.10428: psh 187597920 ack 3622733773
1.952202 x.x.x.x.10428 -> y.y.y.y.51426: ack 187598190
1.952203 x.x.x.x.10428 -> y.y.y.y.51426: ack 187598190
1.952203 x.x.x.x.10428 -> y.y.y.y.51426: ack 187598190
1.952266 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622733773 ack 187598190
1.952267 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622733773 ack 187598190
1.952268 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622733773 ack 187598190
1.977013 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622733872
1.985113 y.y.y.y.51426 -> x.x.x.x.10428: psh 187598190 ack 3622733872
1.985852 x.x.x.x.10428 -> y.y.y.y.51426: 3622733872 ack 187598499
1.985854 x.x.x.x.10428 -> y.y.y.y.51426: 3622733872 ack 187598499
1.985856 x.x.x.x.10428 -> y.y.y.y.51426: 3622733872 ack 187598499
1.985862 x.x.x.x.10428 -> y.y.y.y.51426: 3622735272 ack 187598499
1.985863 x.x.x.x.10428 -> y.y.y.y.51426: 3622735272 ack 187598499
1.985863 x.x.x.x.10428 -> y.y.y.y.51426: 3622735272 ack 187598499
1.985867 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622736672 ack 187598499
1.985868 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622736672 ack 187598499
1.985868 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622736672 ack 187598499
1.986552 x.x.x.x.10428 -> y.y.y.y.51426: 3622737968 ack 187598499
1.986553 x.x.x.x.10428 -> y.y.y.y.51426: 3622737968 ack 187598499
1.986554 x.x.x.x.10428 -> y.y.y.y.51426: 3622737968 ack 187598499
2.012039 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622736672
2.012153 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622739368
2.012159 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622739368 ack 187598499
2.012160 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622739368 ack 187598499
2.012161 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622739368 ack 187598499
2.037159 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622740362
2.037164 y.y.y.y.51426 -> x.x.x.x.10428: psh 187598499 ack 3622740362
2.037269 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622740362 ack 187598573
2.037271 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622740362 ack 187598573
2.037272 x.x.x.x.10428 -> y.y.y.y.51426: psh 3622740362 ack 187598573
2.052153 y.y.y.y.51426 -> x.x.x.x.10428: psh 187598573 ack 3622740362
2.058147 x.x.x.x.10428 -> y.y.y.y.51426: 3622740633 ack 187598968
2.058148 x.x.x.x.10428 -> y.y.y.y.51426: 3622740633 ack 187598968
2.058149 x.x.x.x.10428 -> y.y.y.y.51426: 3622740633 ack 187598968
2.058189 x.x.x.x.10428 -> y.y.y.y.51426: psh fin 3622742033 ack 187598968
2.058190 x.x.x.x.10428 -> y.y.y.y.51426: psh fin 3622742033 ack 187598968
2.058190 x.x.x.x.10428 -> y.y.y.y.51426: psh fin 3622742033 ack 187598968
2.067009 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622740633
2.077091 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622742033
2.090139 y.y.y.y.51426 -> x.x.x.x.10428: ack 3622742316
2.090193 y.y.y.y.51426 -> x.x.x.x.10428: fin 187598968 ack 3622742316
2.090198 x.x.x.x.10428 -> y.y.y.y.51426: ack 187598969
2.090199 x.x.x.x.10428 -> y.y.y.y.51426: ack 187598969
2.090200 x.x.x.x.10428 -> y.y.y.y.51426: ack 187598969
2.090202 y.y.y.y.51426 -> x.x.x.x.10428: rst 187598969 ack 3622742316
32.147357 y.y.y.y.41549 -> x.x.x.x.10428: syn 262275538
32.147381 x.x.x.x.10428 -> y.y.y.y.41549: syn 1399091968 ack 262275539
32.147382 x.x.x.x.10428 -> y.y.y.y.41549: syn 1399091968 ack 262275539
32.147383 x.x.x.x.10428 -> y.y.y.y.41549: syn 1399091968 ack 262275539
32.170816 y.y.y.y.41549 -> x.x.x.x.10428: ack 1399091969
32.178789 y.y.y.y.41549 -> x.x.x.x.10428: psh 262275539 ack 1399091969
32.178796 x.x.x.x.10428 -> y.y.y.y.41549: ack 262276096
32.178797 x.x.x.x.10428 -> y.y.y.y.41549: ack 262276096
32.178798 x.x.x.x.10428 -> y.y.y.y.41549: ack 262276096
32.178969 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399091969 ack 262276096
32.178970 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399091969 ack 262276096
32.178972 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399091969 ack 262276096
32.200806 y.y.y.y.41549 -> x.x.x.x.10428: ack 1399092068
32.208854 y.y.y.y.41549 -> x.x.x.x.10428: psh 262276096 ack 1399092068
32.209357 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092068 ack 262276692
32.209359 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092068 ack 262276692
32.209360 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092068 ack 262276692
32.230753 y.y.y.y.41549 -> x.x.x.x.10428: ack 1399092340
32.230758 y.y.y.y.41549 -> x.x.x.x.10428: psh 262276692 ack 1399092340
32.230878 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092340 ack 262276766
32.230880 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092340 ack 262276766
32.230881 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092340 ack 262276766
32.243981 y.y.y.y.41549 -> x.x.x.x.10428: psh 262276766 ack 1399092340
32.243986 y.y.y.y.41549 -> x.x.x.x.10428: 262277304 ack 1399092340
32.243990 x.x.x.x.10428 -> y.y.y.y.41549: ack 262278704
32.243990 x.x.x.x.10428 -> y.y.y.y.41549: ack 262278704
32.243991 x.x.x.x.10428 -> y.y.y.y.41549: ack 262278704
32.243994 y.y.y.y.41549 -> x.x.x.x.10428: 262278704 ack 1399092340
32.243998 y.y.y.y.41549 -> x.x.x.x.10428: 262280104 ack 1399092340
32.244000 x.x.x.x.10428 -> y.y.y.y.41549: ack 262281504
32.244001 x.x.x.x.10428 -> y.y.y.y.41549: ack 262281504
32.244001 x.x.x.x.10428 -> y.y.y.y.41549: ack 262281504
32.244003 y.y.y.y.41549 -> x.x.x.x.10428: 262281504 ack 1399092340
32.244883 y.y.y.y.41549 -> x.x.x.x.10428: 262282904 ack 1399092340
32.244886 x.x.x.x.10428 -> y.y.y.y.41549: ack 262284304
32.244886 x.x.x.x.10428 -> y.y.y.y.41549: ack 262284304
32.244887 x.x.x.x.10428 -> y.y.y.y.41549: ack 262284304
32.245028 y.y.y.y.41549 -> x.x.x.x.10428: 262284304 ack 1399092340
32.245033 y.y.y.y.41549 -> x.x.x.x.10428: 262285704 ack 1399092340
32.245036 x.x.x.x.10428 -> y.y.y.y.41549: ack 262287104
32.245037 x.x.x.x.10428 -> y.y.y.y.41549: ack 262287104
32.245038 x.x.x.x.10428 -> y.y.y.y.41549: ack 262287104
32.245042 y.y.y.y.41549 -> x.x.x.x.10428: 262287104 ack 1399092340
32.245046 y.y.y.y.41549 -> x.x.x.x.10428: 262288504 ack 1399092340
32.245051 x.x.x.x.10428 -> y.y.y.y.41549: ack 262289904
32.245053 x.x.x.x.10428 -> y.y.y.y.41549: ack 262289904
32.245054 x.x.x.x.10428 -> y.y.y.y.41549: ack 262289904
32.245793 y.y.y.y.41549 -> x.x.x.x.10428: psh 262289904 ack 1399092340
32.255769 y.y.y.y.41549 -> x.x.x.x.10428: ack 1399092611
32.257230 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092611 ack 262291089
32.257231 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092611 ack 262291089
32.257232 x.x.x.x.10428 -> y.y.y.y.41549: psh 1399092611 ack 262291089
32.257268 x.x.x.x.10428 -> y.y.y.y.41549: psh fin 1399093148 ack 262291089
32.257269 x.x.x.x.10428 -> y.y.y.y.41549: psh fin 1399093148 ack 262291089
32.257270 x.x.x.x.10428 -> y.y.y.y.41549: psh fin 1399093148 ack 262291089
32.283852 y.y.y.y.41549 -> x.x.x.x.10428: ack 1399093173
32.283905 y.y.y.y.41549 -> x.x.x.x.10428: fin 262291089 ack 1399093173
32.283910 x.x.x.x.10428 -> y.y.y.y.41549: ack 262291090
32.283911 x.x.x.x.10428 -> y.y.y.y.41549: ack 262291090
32.283912 x.x.x.x.10428 -> y.y.y.y.41549: ack 262291090
32.283914 y.y.y.y.41549 -> x.x.x.x.10428: rst 262291090 ack 1399093173
37.563220 y.y.y.y.60270 -> x.x.x.x.500: udp 508
40.740496 y.y.y.y.60270 -> x.x.x.x.500: udp 508
43.810382 y.y.y.y.60270 -> x.x.x.x.500: udp 508
46.848172 y.y.y.y.60270 -> x.x.x.x.500: udp 508
455
0 Kudos
k4tamai
New Contributor II
In response to tpatel

Created on ‎09-10-2024 01:16 AM

Hi Patel.

 

A bit more sniffer output, alongside with what i see in the IKE debug.

 

//Sniffer

860.770524 y.y.y.y.40561 -> x.x.x.x.500: udp 456
860.770893 x.x.x.x.500 -> y.y.y.y.40561: udp 352
860.770895 x.x.x.x.500 -> y.y.y.y.40561: udp 352
860.770896 x.x.x.x.500 -> y.y.y.y.40561: udp 352
860.831814 y.y.y.y.42195 -> x.x.x.x.4500: udp 640
860.831944 x.x.x.x.4500 -> y.y.y.y.42195: udp 128
860.831945 x.x.x.x.4500 -> y.y.y.y.42195: udp 128
860.831947 x.x.x.x.4500 -> y.y.y.y.42195: udp 128
860.857649 y.y.y.y.42195 -> x.x.x.x.4500: udp 112
860.858177 x.x.x.x.4500 -> y.y.y.y.42195: udp 112
860.858178 x.x.x.x.4500 -> y.y.y.y.42195: udp 112
860.858180 x.x.x.x.4500 -> y.y.y.y.42195: udp 112
860.892641 y.y.y.y.42195 -> x.x.x.x.4500: udp 160
864.005613 y.y.y.y.42195 -> x.x.x.x.4500: udp 160
865.888751 x.x.x.x.4500 -> y.y.y.y.42195: udp 128
865.888752 x.x.x.x.4500 -> y.y.y.y.42195: udp 128
865.888754 x.x.x.x.4500 -> y.y.y.y.42195: udp 128
866.209536 y.y.y.y.42195 -> x.x.x.x.4500: udp 80
866.209970 x.x.x.x.4500 -> y.y.y.y.42195: udp 80
866.209972 x.x.x.x.4500 -> y.y.y.y.42195: udp 80
866.209974 x.x.x.x.4500 -> y.y.y.y.42195: udp 80
866.239476 y.y.y.y.42195 -> x.x.x.x.4500: udp 96
869.389327 y.y.y.y.42195 -> x.x.x.x.4500: udp 96
872.387295 y.y.y.y.42195 -> x.x.x.x.4500: udp 96
875.399058 y.y.y.y.42195 -> x.x.x.x.4500: udp 96
878.388944 y.y.y.y.42195 -> x.x.x.x.4500: udp 96
881.408777 y.y.y.y.42195 -> x.x.x.x.4500: udp 96
 
//IKE

HHHH-FW01 (CSMG) # diagnose vpn ike log-filter src-addr4 y.y.y.y

HHHH-FW01 (CSMG) # diagnose debug application ike -1
Debug messages will be on for 9 minutes.

HHHH-FW01 (CSMG) # diagnose debug enable

HHHH-FW01 (CSMG) # ike change cfg 1 interface 0 router 0 certs 0
ike config update start
ike ike_embryonic_conn_limit = 20000
ike ikecrypt DH multi-process disabled
ike config update done
ike 1: cache rebuild done
ike 2: cache rebuild done
ike 4: cache rebuild done
ike 5: cache rebuild done
ike 6: cache rebuild done
ike 7: cache rebuild done
ike 8: cache rebuild done
ike 9: cache rebuild done
ike 10: cache rebuild done
ike 12: cache rebuild done
ike 14: cache rebuild done
ike 15: cache rebuild done
ike 17: cache rebuild done
ike 35: cache rebuild done
ike 18: cache rebuild done
ike 20: cache rebuild done
ike 21: cache rebuild done
ike 23: cache rebuild done
ike 24: cache rebuild done
ike 25: cache rebuild done
ike 27: cache rebuild done
ike 28: cache rebuild done
ike 29: cache rebuild done
ike 30: cache rebuild done
ike 31: cache rebuild done
ike 33: cache rebuild done
ike 19: cache rebuild done

 

448
0 Kudos
FortiArt
Staff
Staff

Created on ‎09-09-2024 02:14 PM

Are you using Window 10 or Windows 11. Please check this article:

 

https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-Support-for-ARM-Architecture...

 

Things you need to confirm:

1- Confirm the config sys global > set remoteauthtimeout has high value

2-Force NAT-T on the dialup ipsec vpn and re-test the issue

3-Disable any security software and Windows defender

4-Try other PC with different OS and re-test

 

As above the debug output will help in finding the root cause.

 

Hope this help

 

527
k4tamai
New Contributor II
In response to FortiArt

Created on ‎09-10-2024 01:06 AM

Hi Art. 
Thank you for your response. 

NAT-T is forced and remote auth is set to max for this test scenario.

A clean PC with no Defender has been used to test as well as an Ubuntu and Mac client. 

As mentioned in Patels post, we do not receive any IKE debug output despite our client exchanging packets during the SAML authentication and 3 IKE packets being sent. 

 

Kind Regards.

454
0 Kudos
rahulkaushik-22
Staff
Staff

Created on ‎09-09-2024 02:18 PM

Hi @k4tamai 

Do you have multiple dialup IPsec tunnels on the firewall if yes then use peerid to specify the relevant tunnel with the help of aggressive mode?

Refer to the article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia... for more details. 

Regards, 
Rahul Kaushik





MR RAHUL K KAUSHIK
525
k4tamai
New Contributor II
In response to rahulkaushik-22

Created on ‎09-10-2024 01:08 AM Edited on ‎09-10-2024 01:17 AM

Hi Rahul.

 

Thank you for your response.

This is the only dialup IPsec in this VDOM.

We have tried using IKEv1 with agressive mode as well as IKEv2 to no avail.

 

Kind Regards.

453
Debbie_FTNT
Staff
Staff
In response to k4tamai

Created on ‎09-10-2024 01:51 AM

Hey k4tamai,

you could try disabling IPSec offloading, if you have a hardware model:
https://docs.fortinet.com/document/fortigate/7.4.4/hardware-acceleration/636026
That might be why you're not seeing any IKE debug?

 

Aside from that, double-check that you have the correct IPSec configuration to ensure that the FortiClient reaches FortiGate; usually if there is no IKE debug at all, I would assume some kind of connectivity issue, like IKE being blocked on an ISP level (though you did mention you observed some IKE packets, correct?)

 

Cheers,

Debbie

 

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
413
k4tamai
New Contributor II
In response to Debbie_FTNT

Created on ‎09-10-2024 02:06 AM

Hi Debbie.

 

Thank you for your response. 

I have tried disabling NPU offloading with the same result as earlier.

As you can see from my log the Firewall and the client exchanges IKE packets (x.x.x.x being firewall and y.y.y.y being client) - IKE debug output remains empty.

 

Kind Regards.

404
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.