Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
usmanjawa
New Contributor

Created on ‎03-21-2023 10:36 PM

Remote access SSL VPN with Cisco Anyconnect on Fortigate

Hi, I am a beginner who just started my journey with Fortigate.  I am using Cisco ASA which is configured with remote access SSL VPN and users connect to VPN through Cisco AnyConnect client.

 

I am implementing FortiGate in the lab environment. I want to find out if it is possible to use Cisco AnyConnect client with FortiGate in SSL VPN?

 

If you happen to know any documentation or video tutorial related to configuration please share.

Labels:
14098
0 Kudos
11 REPLIES 11
gfleming
Staff
Staff

Created on ‎03-24-2023 08:36 AM

SSL VPN technology is often proprietary and does not work across vendors and clients.


IPSec VPN, however is open standard and you can use AnyConnect to initiate an IPSec tunnel to FortiGate.

 

Or, use the free FortiClient VPN for SSL VPN to the FortiGate. NO reason you can't have both installed on your PC.

Cheers,
Graham
12490
per_fiksit
New Contributor

Created on ‎06-23-2023 03:28 AM

Does anybody know if this works? To VPN into FortiGate with Cisco AnyConnect VPN client, using IPSec? 

11748
0 Kudos
gfleming
Staff
Staff
In response to per_fiksit

Created on ‎06-23-2023 09:39 AM

IPsec is an open standard. So any standards-compliant IPSec VPN client will be able to connect to the FortiGate IPSec remote access VPN.

Cheers,
Graham
11726
0 Kudos
mrfelipe
New Contributor

Created on ‎10-27-2023 03:54 AM

Has anyone managed to put together a configuration that works for FortiOS 7.x and Anyconnect 4.x?

10179
0 Kudos
mle2802
Staff
Staff
In response to mrfelipe

Created on ‎10-27-2023 07:14 AM

Hi @mrfelipe

SSL VPN is not supposed to work with AnyConnect. You can either use SSL VPN web mode or tunnel mode with FortiClient. If you wish to use AnyConnect, you can configure Ipsec on FortiGate for this.

Regards,
Minh

10164
0 Kudos
mrfelipe
New Contributor
In response to mle2802

Created on ‎10-27-2023 07:48 AM

I understand that SSLVPN is work only Forticlient, but in this case i tried to setup an ipsec vpn with anyconnect but i can't connect, on Forti side error is: ike V=root:0:d81232e7c2e796be/0000000000000000:383336: unexpected payload type 47

10156
0 Kudos
mle2802
Staff
Staff
In response to mrfelipe

Created on ‎10-27-2023 07:51 AM

Hi @mrfelipe,

In this case, can you try to execute this command on FortiGate when try to connect VPN:

diag debug reset 
diagnose vpn ike log filter rem-addr4  
diagnose debug application ike  -1 
diag debug enable 

Regards,
Minh

10153
0 Kudos
mrfelipe
New Contributor
In response to mle2802

Created on ‎10-27-2023 08:03 AM

Hi mle2808

 

ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: responder received SA_INIT msg
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (19): CISCO-DELETE-REASON
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (55): CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc.
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (20): CISCO-ANYCONNECT-EAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (15): 434953434F2D4752452D4D4F444503
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (16): 434953434F2D4E47452D4C4556454C03
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (22): CISCO-ANYCONNECT-STRAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (25): CISCO-ANYCONNECT-STRAP-DH
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: received notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: received notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: unexpected payload type 47
ike V=root:0: comes 45.95.45.199:37014->212.108.232.11:500,ifindex=29,vrf=0....
ike V=root:0: IKEv2 exchange=SA_INIT id=d1a0e69ef9568be9/0000000000000000 len=698
ike 0: in D1A0E69EF9568BE900000000000000002120220800000000000002BA220001140200007C0101000D0300000C01000014800E01000300000C01000014800E00C00300000C01000014800E008003000008020000060300000802000007030000080200000503000008020000020300000803000000030000080400001303000008040000140300000804000015030000080400000F000000080400001000000094020100100300000C0100000C800E01000300000C0100000C800E00C00300000C0100000C800E00800300000802000006030000080200000703000008020000050300000802000002030000080300000C030000080300000D0300000803000002030000080300000E030000080400001303000008040000140300000804000015030000080400000F00000008040000102800004800130000B46FE15BD23254292D0F86FFB88F6D202EF01E13B6EF8661D181D58D692AD1F186D463E294707FF2EE488B310CF837BBB620326D70A1FFD9C5BD967B5D9715522B000018AE0C8F3A023A7052D8D33F95F4B51F6741FDF6D32B000017434953434F2D44454C4554452D524541534F4E2B00003B434953434F28434F505952494748542926436F7079726967687420286329203230303920436973636F2053797374656D732C20496E632E2B000018434953434F2D414E59434F4E4E4543542D4541502B000013434953434F2D4752452D4D4F4445032B000014434953434F2D4E47452D4C4556454C032B00001A434953434F2D414E59434F4E4E4543542D53545241502900001D434953434F2D414E59434F4E4E4543542D53545241502D44482900001C010040043C23778221BADAA1D12AF0A5E1FC9B752154C6992B00001C01004005BA59DBAC572892EC0D3B7623126001439DA45ED82F0000144048B7D56EBCE88525E7DE7F00D6C2D32900000E010000007038000202400000000800004016
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: responder received SA_INIT msg
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (19): CISCO-DELETE-REASON
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (55): CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc.
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (20): CISCO-ANYCONNECT-EAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (15): 434953434F2D4752452D4D4F444503
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (16): 434953434F2D4E47452D4C4556454C03
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (22): CISCO-ANYCONNECT-STRAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (25): CISCO-ANYCONNECT-STRAP-DH
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: received notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: received notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: unexpected payload type 47
ike V=root:0: comes 45.95.45.199:37014->212.108.232.11:500,ifindex=29,vrf=0....
ike V=root:0: IKEv2 exchange=SA_INIT id=d1a0e69ef9568be9/0000000000000000 len=698
ike 0: in D1A0E69EF9568BE900000000000000002120220800000000000002BA220001140200007C0101000D0300000C01000014800E01000300000C01000014800E00C00300000C01000014800E0080

10151
0 Kudos
dakotahhurda
New Contributor
In response to mrfelipe

Created on ‎03-26-2025 08:35 AM

Hello, apologies for reviving an old post, but I'm having this exact same problem in 2025. 

Have you (or anyone else reading this) found a solution to this problem? Trying to connect Cisco AnyConnect --> Fortigate IPsec dialup tunnel and finding the exact same logs posted above. 

588
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.