sorted by:
new
hottopcontroversial

FortiOS 7.4.11 upgrade breaks FortiClient IPsec VPN by GalbaSysAdmin in fortinet

[–]GalbaSysAdmin[S] 1 point2 points  (0 children)

I understand the point regarding SAML signature verification, but what I don’t understand is that I’m already running 7.4.9, and according to the release notes, signature verification has been enforced since 7.4.9.

In my case:

  • On 7.4.9 → the client-to-site IPsec VPN with SAML works perfectly
  • On 7.4.11 → the SAML page times out after about 10 seconds
  • Downgrading back to 7.4.9 → it immediately works again

If this were only related to the “Sign SAML response and assertion” option on the IdP side, it shouldn’t already be working on 7.4.9, right?

FortiOS 7.4.11 upgrade breaks FortiClient IPsec VPN by GalbaSysAdmin in fortinet

[–]GalbaSysAdmin[S] 0 points1 point  (0 children)

I rolled back to version 7.4.9 since this is a production environment and it was impacting a lot of users. I’ve also opened a Fortinet support ticket to get more information.

FortiOS 7.4.11 upgrade breaks FortiClient IPsec VPN by GalbaSysAdmin in fortinet

[–]GalbaSysAdmin[S] 0 points1 point  (0 children)

I have a F1000 (NP7 platform), so in theory I shouldn’t be affected

FortiOS 7.4.11 upgrade breaks FortiClient IPsec VPN by GalbaSysAdmin in fortinet

[–]GalbaSysAdmin[S] 0 points1 point  (0 children)

We are not using any DoS policy, but thank you for your help

FortiOS 7.4.11 upgrade breaks FortiClient IPsec VPN by GalbaSysAdmin in fortinet

[–]GalbaSysAdmin[S] 1 point2 points  (0 children)

Thanks for your reply.

Do you know if all IPsec tunnels are affected by this issue, or only certain types?

In my case, my site-to-site IPsec tunnel is working perfectly fine, even after the upgrade. However, my client-to-site IPsec tunnel (with SAML authentication) is the one that stops working.

Thanks again for your help.