Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
forti5
New Contributor II

Created on ‎11-07-2025 08:44 AM Edited on ‎11-07-2025 08:45 AM

IkeV2 VPN with EntraID SAML

IkeV2 VPN with EntraID SAML

 

All configured and working to a point ! SAML authentication works fine but as soon as I authenticate the connection Immediately drops !

Last Disconnect Reason: HostnameResolveNonRecoverableError

 

Can anyone suggest where to start with troubleshooting this ?

 

I've tried the following but found not errors.

diagnose debug application fnbamd -1

diagnose debug application saml -1

diagnose debug application ike -1

diagnose debug application eap_proxy -1

 

error1.png

 

Dj
Dj
Labels:
137
0 Kudos
1 Solution
forti5
New Contributor II
In response to AEK

Created on ‎11-10-2025 01:09 AM Edited on ‎11-10-2025 01:11 AM

now solved. 2 issues.

1. I had to change the default saml setting to - Sign SAML response and assertion

2. In the EMS Remote Access config i had https: , when I should have just had the hostname.

 

saml1.png

 

ras.png

Dj

View solution in original post

Dj
21
0 Kudos
5 REPLIES 5
funkylicious
SuperUser
SuperUser

Created on ‎11-07-2025 09:59 AM

what version are you running on FortiGate ?

"jack of all trades, master of none"
"jack of all trades, master of none"
124
forti5
New Contributor II
In response to funkylicious

Created on ‎11-10-2025 12:59 AM

v7.4.9

Dj
Dj
23
0 Kudos
hpenmetsa
Staff
Staff

Created on ‎11-07-2025 08:27 PM

Hi,

Does this happen to only one user or to all users?

 

Could you please share the output?

 

diagnose debug reset

diagnose vpn ike log-filter dst-addr4 <client public ip>

diagnose debug app ike -1

diagnose debug app eap_proxy -1

diagnose debug app samld -1

diagnose debug enable

 

replicate the issue connecting to a VPN

102
AEK
SuperUser
SuperUser

Created on ‎11-08-2025 01:31 PM

Looks like a DNS issue.

  • Are your DNS queries sent through the tunnel once it is up?
  • Are they served correctly?
  • Is the telemetry server's FQDN resolved with a different address (e.g.: the private IP) once connected?

Try fix these and redo the test.

 
AEK
AEK
51
forti5
New Contributor II
In response to AEK

Created on ‎11-10-2025 01:09 AM Edited on ‎11-10-2025 01:11 AM

now solved. 2 issues.

1. I had to change the default saml setting to - Sign SAML response and assertion

2. In the EMS Remote Access config i had https: , when I should have just had the hostname.

 

saml1.png

 

ras.png

Dj
Dj
22
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.