Troubleshooting FortiClient SAML Authentication Errors for IPSEC VPN Connections
Use this when FortiClient IPsec SAML auth opens a browser flow and then reports that the page cannot be reached.
Quick Read
- Symptom: Use this when FortiClient IPsec SAML auth opens a browser flow and then reports that the page cannot be reached.
- Check first: Capture the affected source, destination, protocol, port, DNS name, VLAN or subnet, and exact error before changing policy.
- Risk: Security-sensitive
Symptoms
Users encounter a 'Can't reach this page' error when attempting to connect to an IPSEC VPN using FortiClient with SAML authentication.
Environment
FortiClient version 6.4 and above, IPSEC VPN configuration on FortiGate firewall, SAML identity provider configured.
Most Likely Causes
This issue may arise due to misconfiguration in the FortiGate firewall settings, incorrect SAML settings, or network connectivity problems.
What to Check First
- Capture the affected source, destination, protocol, port, DNS name, VLAN or subnet, and exact error before changing policy.
- Verify path, name resolution, authentication, and firewall policy separately so one symptom does not hide multiple failures.
- Check whether the issue is isolated to one client, one subnet, one VPN profile, or every path.
Fix Steps
- Verify FortiGate IPSEC VPN Configuration
Ensure that the IPSEC VPN settings on the FortiGate firewall are correctly configured for SAML authentication.
Example pattern only. Adjust for your environment before running.
config vpn ipsec phase1-interface show config vpn ipsec phase2-interface show
- Check SAML Configuration on FortiGate
Confirm that the SAML configuration on the FortiGate is properly set up and linked to the identity provider.
Example pattern only. Adjust for your environment before running.
config user saml show config user group show
- Test SAML Authentication
Test the SAML browser handoff without posting credentials from a shell. Capture the redirect host, HTTP status, and any IdP error code, then compare those values with the FortiGate SAML configuration.
Example pattern only. Adjust for your environment before running.
Open the FortiClient SAML browser flow and capture the redirect URL host, HTTP status, and IdP error code without entering credentials into a command line.
- Check FortiClient Logs
Review the logs on the FortiClient for any error messages related to the SAML authentication process.
Example pattern only. Adjust for your environment before running.
Open FortiClient Go to 'Logs' Select 'VPN' and review the entries for errors
- Verify Network Connectivity
Ensure that the client machine has network access to the FortiGate and the SAML identity provider.
Example pattern only. Adjust for your environment before running.
ping <FortiGate_IP> ping <SAML_IDP_URL>
- Check Browser Settings
Ensure that the browser settings do not block the SAML authentication page.
Example pattern only. Adjust for your environment before running.
Open browser settings Check for any active proxies or VPNs that may interfere Disable any ad blockers or privacy extensions temporarily
Validation
- The same client and network path can reach the target after the change.
- Firewall, VPN, DHCP, DNS, or switch logs show allowed traffic or successful negotiation instead of the prior failure.
- A second path check confirms that the fix did not open unintended access or break another subnet.
Logs to Check
- Firewall, VPN, DNS, DHCP, or switch logs for the failing timestamp.
- Client resolver, route table, VPN client, or browser/network diagnostics.
- Packet capture or flow logs when policy and routing disagree.
Rollback and Escalation
- Export or screenshot the original policy, route, resolver, or interface configuration before changing it.
- Remove temporary allow rules, test DNS records, or route changes after validation.
- Restore the previous VPN profile, firewall rule, or switch configuration if reachability worsens.
Escalate When
- Escalate if the same error persists after rollback and a clean retry from the original failing path.
- Escalate if logs show authorization, data loss, certificate, replication, or production availability risk outside the local service owner scope.
Edge Cases
- User is behind a corporate firewall that blocks SAML authentication requests.
- Incorrect time settings on the client machine affecting SAML token validity.
Notes from the Field
- Most network incidents need source and destination evidence. A successful test from an admin laptop does not prove the affected client path is fixed.
- For VPN and firewall changes, keep the blast radius narrow and time-box any temporary allow rule.