Troubleshooting FortiClient SAML Authentication Errors for IPSEC VPN Connections

Symptoms

Users encounter a 'Can't reach this page' error when attempting to connect to an IPSEC VPN using FortiClient with SAML authentication.

Environment

FortiClient version 6.4 and above, IPSEC VPN configuration on FortiGate firewall, SAML identity provider configured.

Most Likely Causes

This issue may arise due to misconfiguration in the FortiGate firewall settings, incorrect SAML settings, or network connectivity problems.

What to Check First

1. Capture the affected source, destination, protocol, port, DNS name, VLAN or subnet, and exact error before changing policy.
2. Verify path, name resolution, authentication, and firewall policy separately so one symptom does not hide multiple failures.
3. Check whether the issue is isolated to one client, one subnet, one VPN profile, or every path.

Insight Cluster

Parent question: How do we isolate edge and secure-access incidents by separating provider handoff, switching, VPN/auth, and policy enforcement before broad network changes?

• Planning Network Edge, Access, VPN, and Switching Failures Without Guessing (parent Insight)
• Comparing Network Edge Validation Paths for DHCP, VPN, Switching, and Policy Failures (supporting Insight)
• Network Edge Evidence-First Comparison Between Good and Broken Paths (supporting Insight)
• Troubleshooting CORS Error: Permission Denied for Requests in Chrome on Office Network (tactical leaf)
• Troubleshooting LACP Sub-Interfaces Communication Issues with Core Switches (tactical leaf)
• OPNsense WAN DHCP failure after a MAC address or ISP lease change (tactical leaf)
• Accelerating Discovery for Stuck Switches in Stack (tactical leaf)
• Troubleshooting Cisco Catalyst Stack Switch Discovery Issues (tactical leaf)
• Troubleshooting IPsec Connectivity Issues on pfSense with DrayTek (tactical leaf)
• Troubleshooting Zscaler ZCC VDI Intune Win32 App Command-Line Limit Failures (tactical leaf)
• Troubleshooting IPSec VPN Issues on FG-90G Firmware 7.4.11 (tactical leaf)

• This parent cluster is meant to stop network edge and secure-access pages from being treated as disconnected firewall, VPN, and switching incidents.
• The supporting pages frame branch selection and good-vs-broken comparison before the reader drops into exact WAN, stack, VPN, or policy failures.

Fix Steps

1. Verify FortiGate IPSEC VPN Configuration

   Ensure that the IPSEC VPN settings on the FortiGate firewall are correctly configured for SAML authentication.

   Example pattern only. Adjust for your environment before running.

   config vpn ipsec phase1-interface
   show
   config vpn ipsec phase2-interface
   show

2. Check SAML Configuration on FortiGate

   Confirm that the SAML configuration on the FortiGate is properly set up and linked to the identity provider.

   Example pattern only. Adjust for your environment before running.

   config user saml
   show
   config user group
   show

3. Test SAML Authentication

   Test the SAML browser handoff without posting credentials from a shell. Capture the redirect host, HTTP status, and any IdP error code, then compare those values with the FortiGate SAML configuration.

   Example pattern only. Adjust for your environment before running.

   Open the FortiClient SAML browser flow and capture the redirect URL host, HTTP status, and IdP error code without entering credentials into a command line.

4. Check FortiClient Logs

   Review the logs on the FortiClient for any error messages related to the SAML authentication process.

   Example pattern only. Adjust for your environment before running.

   Open FortiClient
   Go to 'Logs'
   Select 'VPN' and review the entries for errors

5. Verify Network Connectivity

   Ensure that the client machine has network access to the FortiGate and the SAML identity provider.

   Example pattern only. Adjust for your environment before running.

   ping <FortiGate_IP>
   ping <SAML_IDP_URL>

6. Check Browser Settings

   Ensure that the browser settings do not block the SAML authentication page.

   Example pattern only. Adjust for your environment before running.

   Open browser settings
   Check for any active proxies or VPNs that may interfere
   Disable any ad blockers or privacy extensions temporarily

Validation

• The same client and network path can reach the target after the change.
• Firewall, VPN, DHCP, DNS, or switch logs show allowed traffic or successful negotiation instead of the prior failure.
• A second path check confirms that the fix did not open unintended access or break another subnet.

Logs to Check

• Firewall, VPN, DNS, DHCP, or switch logs for the failing timestamp.
• Client resolver, route table, VPN client, or browser/network diagnostics.
• Packet capture or flow logs when policy and routing disagree.

Rollback and Escalation

• Export or screenshot the original policy, route, resolver, or interface configuration before changing it.
• Remove temporary allow rules, test DNS records, or route changes after validation.
• Restore the previous VPN profile, firewall rule, or switch configuration if reachability worsens.

Escalate When

• Escalate if the same error persists after rollback and a clean retry from the original failing path.
• Escalate if logs show authorization, data loss, certificate, replication, or production availability risk outside the local service owner scope.

Edge Cases

• User is behind a corporate firewall that blocks SAML authentication requests.
• Incorrect time settings on the client machine affecting SAML token validity.

Notes from the Field

• Most network incidents need source and destination evidence. A successful test from an admin laptop does not prove the affected client path is fixed.
• For VPN and firewall changes, keep the blast radius narrow and time-box any temporary allow rule.