Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fabs
New Contributor III

cannot longer connect FortiClientVPN 7.2.2.0116 Azure SAML MFA

Hello,

 

since updating iPhone iOS from the last version 16 to the current 17.0.1, connecting via FortiClientVPN is no longer possible. The Azure SAML authentication takes place, but it stops at "Connection".
FortiClient VPN 7.2.2.0116
Fortigate 7.2.5 build1517
Can anyone here report the same problem?

61 REPLIES 61
kcheng
Staff
Staff

Hi,

 

Please try to disable DTLS setting in FortiGate and check if the issue still persists for iOS client:

config vpn ssl settings
    set dtls-tunnel disable
end

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
Rensjeh
New Contributor

Works for me; thank you!!

xDivour
New Contributor II

Thank you @kcheng that also worked for me. Is this a temporary solution and the app will be fixed in a future update? 

kcheng

Hi @xDivour 

 

Thank you for confirming that it worked. I would consider this as a temporary solution. For root cause analysis, we will require the logs from both the client and the FortiGate to further investigate this with our backend team. That said, I would recommend that you open a TAC ticket with us and provide the following debug logs after reverting the DTLS settings:

config vpn ssl settings
    set dtls-tunnel enable
end

diag deb console timestamp enable

diag vpn ssl debug-filter src-addr4 <Client's PublicIP>

diag deb app sslvpn -1

diag deb app samld -1

diag deb en

 

These logs would be helpful for us to further check on the DTLS settings with our backend team. Last but not least, please do upload your configuration file in to the ticket created too.

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
Tofer
New Contributor

This is the answer.  Many Thanks Kayzie Cheng!! Our TAM didnt know and wouldnt help.  

kcheng

Hi @Tofer 

 

Thank you very much for your confirmation on this. Technically, free version of FortiClient does not come with TAC support contract if it is the FortiClient issue. But we are also looking into the respective for time being. DTLS is a new feature in FortiClient 7.2.2. We do have some investigation going on with our backend team. Kindly keep an eye on our future FortiClient iOS release notes to check if there is any permanent fix on the respective.

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
tofm
New Contributor

Changing DTLS to disable did not fix this for us, IOS devices still stall at connecting. We are on the free version using Azure saml as well.

kcheng

Hi @tofm 

 

This might be a different issue compared to what the rest is observing here. Please create a ticket in https://forticare.fortinet.com and supply the following output:

diag deb console timestamp enable

diag vpn ssl debug-filter src-addr4 <Client's PublicIP>

diag deb app sslvpn -1

diag deb app samld -1

diag deb en

 

Post that, initiate connection from the iOS client. Kindly supply the debug output and your configuration file into the ticket so that the engineer can check further on this.

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
tofm
New Contributor

Kcheng, it looks like when I initially disabled DTLS it didn't save. I had done a show full to check that it was disabled and it was but had not saved after that and reverted back to enabled. After confirming its actually disabled now, our VPN IOS users can connect again.

kcheng

Hi @tofm 

 

That is good to know. Do keep an eye on our future release that fixes the respective where you can then reenable DTLS configuration on the FortiGate.

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors