Forticlient VPN SSO - no error, no init in log

fair_trade · ‎10-27-2023

Hi,

I'm trying to setup a SSL VPN connection using SSO.

Forticlient VPN version 7.0.7.0246 (deb, Linux) - free version.

Setup works on an older computer so I'm trying to figure out why it won't work on a brand new computer.

I reach the SSO login (microsoft) and can successfully authenticate (verified my login).

Little window closes and FortiClient VPN get stuck at "Connecting".

The whole sslvpn.log is:

20231027 13:09:00.374 [sslvpn:INFO] main:1651 Init
20231027 13:09:00.375 [sslvpn:INFO] main:1707 VPN is running in restore DNS mode
20231027 13:09:00.375 [sslvpn:DEBG] dns:364 Restore DNS config
20231027 13:09:00.375 [sslvpn:DEBG] dns:416 No backup file was found. Skip.

That's it. No errors or warnings in any of the log files.

On the computer where my setup works the lines after the above mentioned are

<date> [sslvpn:INFO] Init

<date> [sslvpn:INFO] Load profile: <name>

Additional info. I never reach the stage where I get to accept the server's certificate.

Also I've tried a few other versions of FortiClient.

Running Tuxedo OS, kernel 6.5

What do I do now to debug?

Update

For anyone with similar problems I suggest using 'openconnect'.

Do this:

1) Download openconnect, ie via 'sudo apt install openconnect'

2) Open a browser and navigate to your sslvpn host, ie http://sslvpn.youdomain.com - and login using your SAML credentials. When there use the browsers debugger to read the value of a cookie called SVPNCOOKIE.

In firefox, press f12, find the tab 'Storage' and on the left side, expand 'Cookies' and click on the url that appears. To the right, you'll find a cookie called SVPNCOOKIE. Copy the value.

3) Open a terminal and execute sudo openconnect --protocol=fortinet sslvpn.yourdomain.com --cookie "SVPNCOOKIE=PASTE-YOUR-VALUE-HERE" <- NOTE the trailing (")

4) You're now connected.

Update 2: 2024-01-02

The problem all this time was a missing package named "gnome-keyring". After I installed this package - everything works.

fair_trade · ‎10-27-2023

Did you reply in the wrong thread?

Debbie_FTNT · ‎10-27-2023

Hey fair_trade,

I checked some internal resources, and it might be the following:

- FortiClient looks for running Network Manager

-> it tries to interact with it to set up DNS servers, domains, etc

-> this may fail if Network Manager is not allowed to manage network devices

It depends a lot on the Linux distribution, but from some references I saw it looks like this should work at least on Ubuntu:

1. add "renderer: NetworkManager" to /etc/netplan/xx-xxxx-config.yaml if not present in the file
2. change "managed" for ifupdown to true in /etc/NetworkManager/NetworkManager.conf if set to false

In addition, there are a number of Linux FortiClient issues under investigation around failures to establish VPN; if you have a FortiClient EMS server under support, I would suggest opening a ticket with the FortiClient team to follow up on that.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

fair_trade · ‎10-29-2023

I'm afraid I have neither a '/etc/netplan' folder nor an '/etc/NetworkManager' folder.

The use of 'locate NetworkManager.conf' returned zero results.

In my Network Manager, I've tried to setup a VPN connection using OpenVPN and that works flawlessly - so I guess it has permissions to manage network devices.

Any further steps I can try?

mle2802 · ‎10-27-2023

Hi @fair_trade,

Can you please try to execute the following command on FortiGate when connecting:

diagdebug reset
diagnose debug applicationfnbamd255
diagnose debug applicationsamld-1
diagnose debug applicationsslvpn-1
diagnose debug console timestamp enable
diagnose debug enable

Please don't attach debug to forum support with your personal information.

Regards,
Minh

fair_trade · ‎10-29-2023

Hi,

I have nothing to do with FortiGate as I'm just an end user.

Therefore (I think) I can't execute these commands.

fair_trade · ‎10-31-2023

Update with logs.

After the SAML popup closes I get to this state (see image below). It says "Status: Connecting" and after 2 seconds it appears a blue "Disconnect" button.

To both be in state Connecting and have the option to disconnect seems rather intuitive.

At this stage, I'm not connected to the VPN.

Complete sslvpn.log

20231031 08:01:12.339 [sslvpn:INFO] main:1651 Init
20231031 08:01:12.339 [sslvpn:INFO] main:1707 VPN is running in restore DNS mode
20231031 08:01:12.341 [sslvpn:DEBG] dns:364 Restore DNS config
20231031 08:01:12.341 [sslvpn:DEBG] dns:416 No backup file was found. Skip.

Complete renderer.log

[2023-10-31 08:02:52.504] [info] SAML_LOGIN_VPN_RESPONSE
[2023-10-31 08:02:52.517] [info] handleSAMLLoginResp - 1 cookie

Complete main.log

[2023-10-31 07:57:01.001] [info] MAIN MainWindow - createWindow Platform detected: fedora
[2023-10-31 07:57:01.017] [info] web-contents-created contents.id=1
[2023-10-31 07:57:01.022] [info] Saml - init
[2023-10-31 07:57:01.023] [info] Saml - listenSamlLoginRequest
[2023-10-31 07:57:04.013] [info] compliance configDir=/home/anders/.config/FortiClient/config
[2023-10-31 07:57:04.015] [info] MAIN did-finish-load
[2023-10-31 07:57:04.016] [info] MAIN ready-to-show
[2023-10-31 07:57:06.582] [info] IPC_RENDERER_REQUEST.LOADED
[2023-10-31 07:57:06.582] [info] WindowManager handleWindowLoaded
[2023-10-31 07:57:06.583] [info] WindowManager handlePossibleProtocolLauncherArgs argv=["/opt/forticlient/gui/FortiClient-linux-x64/FortiClient"]
[2023-10-31 07:57:06.583] [info] WindowManager handleCreateMainWindow
[2023-10-31 07:57:26.956] [info] Saml - IPC_RENDERER_REQUEST.SAML_LOGIN url=https://myurl.com:443/remote/saml/start
[2023-10-31 07:57:26.957] [info] Saml - doSamlAuth samlReq={"connection_name":"MyConnectionName","url":"https://myurl.com:443/remote/saml/start","authTimeout":"120","ignoreCert":false,"type":1}
[2023-10-31 07:57:26.958] [info] openUrl url=https://myurl.com/remote/saml/start
[2023-10-31 07:57:26.959] [info] web-contents-created contents.id=2
[2023-10-31 07:57:26.963] [info] Saml - loadUrlWithType type=1 url=https://myurl.com/remote/saml/start
[2023-10-31 07:57:27.011] [info] Saml - 'did-finish-load url=https://myurl.com/remote/saml/start'
[2023-10-31 07:57:27.012] [info] logDomainCookies - samlType=1 domain=https://myurl.com
[2023-10-31 07:57:27.012] [info] Saml - handleRedirect url=https://myurl.com/remote/saml/start this.saml={"connection_name":"MyConnectionName","url":"https://myurl.com:443/remote/saml/start","authTimeout":"120","ignoreCert":false,"type":1}
[2023-10-31 07:57:27.015] [debug] will-navigate parsedUrl=https://login.microsoftonline.com/b657ee06-a9c5-4c72-828e-1b194185b141/saml2?SAMLRequest=MySAMLReque... contents.id=2 messageWindowContentsId=null
[2023-10-31 07:57:27.017] [info] logCookies - No cookies found
[2023-10-31 07:57:27.017] [info] Saml - 'ready-to-show'
[2023-10-31 07:57:27.018] [info] SAML - 'ready-to-show'- authTimeout = 120
[2023-10-31 07:57:27.287] [info] Saml - 'did-finish-load url=https://login.microsoftonline.com/b657ee06-a9c5-4c72-828e-1b194185b141/saml2?SAMLRequest=MySAMLReque...'
[2023-10-31 07:57:27.287] [info] logDomainCookies - samlType=1 domain=https://login.microsoftonline.com
[2023-10-31 07:57:27.288] [info] Saml - handleRedirect url=https://login.microsoftonline.com/b657ee06-a9c5-4c72-828e-1b194185b141/saml2?SAMLRequest=MySAMLReque... this.saml={"connection_name":"MyConnectionName","url":"https://myurl.com:443/remote/saml/start","authTimeout":"120","ignoreCert":false,"type":1}
[2023-10-31 07:57:27.290] [debug] will-navigate parsedUrl=https://myurl.com/remote/saml/login contents.id=2 messageWindowContentsId=null
[2023-10-31 07:57:27.291] [info] found cookie with name=brcap
[2023-10-31 07:57:27.291] [info] found cookie with name=wlidperf
[2023-10-31 07:57:27.292] [info] found cookie with name=MicrosoftApplicationsTelemetryDeviceId
[2023-10-31 07:57:27.292] [info] found cookie with name=CCState
[2023-10-31 07:57:27.292] [info] found cookie with name=ESTSAUTHPERSISTENT
[2023-10-31 07:57:27.292] [info] found cookie with name=ESTSAUTH
[2023-10-31 07:57:27.292] [info] found cookie with name=ESTSAUTHLIGHT
[2023-10-31 07:57:27.292] [info] found cookie with name=buid
[2023-10-31 07:57:27.292] [info] found cookie with name=SignInStateCookie
[2023-10-31 07:57:27.292] [info] found cookie with name=fpc
[2023-10-31 07:57:27.293] [info] found cookie with name=esctx
[2023-10-31 07:57:27.293] [info] found cookie with name=x-ms-gateway-slice
[2023-10-31 07:57:27.293] [info] found cookie with name=stsservicecookie
[2023-10-31 07:57:27.294] [info] ----------- onBeforeRequest -----------
[2023-10-31 07:57:27.295] [info] url=https://myurl.com/remote/saml/login method=POST timestamp=1698735447294.7432
[2023-10-31 07:57:27.297] [info] Events - IPC_MAIN_RESPONSE.SAML_LOGIN_VPN_RESPONSE
[2023-10-31 07:57:27.297] [info] Vpn - handleSAMLLoginResp2 samldata.length=7889
[2023-10-31 07:57:27.497] [info] Saml - cleanUp
[2023-10-31 07:57:27.498] [info] Saml - closeServer
[2023-10-31 07:57:27.498] [info] cleanUp - !this.IsWindowDestroyed
[2023-10-31 07:57:27.512] [info] Saml - 'close' state=1
[2023-10-31 07:57:27.513] [info] cancelAndExit state=1
[2023-10-31 07:57:27.513] [info] Saml - closeServer
[2023-10-31 07:57:27.520] [info] Saml - 'closed' state=4
[2023-10-31 07:58:26.185] [info] WindowManager WindowManager - handleWindowClosed
[2023-10-31 07:58:26.186] [info] WindowManager WindowManager - all windows are destroyed. quit the app.
[2023-10-31 08:01:20.279] [info] Platform detected: fedora
[2023-10-31 08:01:20.282] [info] [ '/opt/forticlient/gui/FortiClient-linux-x64/FortiClient' ]
[2023-10-31 08:01:20.292] [info] Saml - init
[2023-10-31 08:01:21.139] [info] compliance configDir=/home/anders/.config/FortiClient/config
[2023-10-31 08:01:21.142] [info] did-finish-load
[2023-10-31 08:01:21.143] [info] ready-to-show
[2023-10-31 08:01:21.759] [info] Events - IPC_RENDERER_REQUEST.FETCH_INVITATION_CODE inviteCode=null
[2023-10-31 08:01:21.795] [info] IPC_RENDERER_REQUEST.LOADED
[2023-10-31 08:01:21.796] [info] Events - processArgv ["/opt/forticlient/gui/FortiClient-linux-x64/FortiClient"]
[2023-10-31 08:01:49.000] [info] Saml - IPC_RENDERER_REQUEST.SAML_LOGIN url=https://myurl.com:443/remote/saml/start
[2023-10-31 08:01:49.000] [info] Saml - doSamlAuth samlReq={"url":"https://myurl.com:443/remote/saml/start","authTimeout":"120","ignoreCert":false,"type":1}
[2023-10-31 08:01:49.000] [info] openUrl url=https://myurl.com/remote/saml/start
[2023-10-31 08:01:49.004] [info] Saml - loadUrlWithType type=1 url=https://myurl.com/remote/saml/start
[2023-10-31 08:01:49.010] [info] IPC_RENDERER_REQUEST.SAML_LOGIN type=1 queryUrl=https://myurl.com/remote/saml/start
[2023-10-31 08:01:49.083] [info] Saml - 'did-finish-load url=https://myurl.com/remote/saml/start'
[2023-10-31 08:01:49.084] [info] Saml - handleRedirect url=https://myurl.com/remote/saml/start this.saml={"url":"https://myurl.com:443/remote/saml/start","authTimeout":"120","ignoreCert":false,"type":1}
[2023-10-31 08:01:49.085] [info] Saml - 'ready-to-show'
[2023-10-31 08:01:49.085] [info] SAML - 'ready-to-show'- authTimeout = 120
[2023-10-31 08:01:49.488] [info] Saml - 'did-finish-load url=https://login.microsoftonline.com/b657ee06-a9c5-4c72-828e-1b194185b141/saml2?SAMLRequest=MySAMLReque...'
[2023-10-31 08:01:49.488] [info] Saml - handleRedirect url=https://login.microsoftonline.com/b657ee06-a9c5-4c72-828e-1b194185b141/saml2?SAMLRequest=MySAMLReque... this.saml={"url":"https://myurl.com:443/remote/saml/start","authTimeout":"120","ignoreCert":false,"type":1}
[2023-10-31 08:02:28.689] [info] Saml - 'did-finish-load url=https://login.microsoftonline.com/b657ee06-a9c5-4c72-828e-1b194185b141/login'
[2023-10-31 08:02:28.690] [info] Saml - handleRedirect url=https://login.microsoftonline.com/b657ee06-a9c5-4c72-828e-1b194185b141/login this.saml={"url":"https://myurl.com:443/remote/saml/start","authTimeout":"120","ignoreCert":false,"type":1}
[2023-10-31 08:02:49.484] [info] Saml - 'did-finish-load url=https://login.microsoftonline.com/b657ee06-a9c5-4c72-828e-1b194185b141/login'
[2023-10-31 08:02:49.484] [info] Saml - handleRedirect url=https://login.microsoftonline.com/b657ee06-a9c5-4c72-828e-1b194185b141/login this.saml={"url":"https://myurl.com:443/remote/saml/start","authTimeout":"120","ignoreCert":false,"type":1}
[2023-10-31 08:02:52.313] [info] Saml - 'did-finish-load url=https://login.microsoftonline.com/kmsi'
[2023-10-31 08:02:52.314] [info] Saml - handleRedirect url=https://login.microsoftonline.com/kmsi this.saml={"url":"https://myurl.com:443/remote/saml/start","authTimeout":"120","ignoreCert":false,"type":1}
[2023-10-31 08:02:52.490] [info] Saml - 'did-finish-load url=https://myurl.com/remote/saml/login'
[2023-10-31 08:02:52.491] [info] Saml - handleRedirect url=https://myurl.com/remote/saml/login this.saml={"url":"https://myurl.com:443/remote/saml/start","authTimeout":"120","ignoreCert":false,"type":1}
[2023-10-31 08:02:52.491] [info] Saml - handleSslVpnRedirect url=https://myurl.com/remote/saml/login
[2023-10-31 08:02:52.494] [info] found cookie with name=0
[2023-10-31 08:02:52.695] [info] Saml - cleanUp
[2023-10-31 08:02:52.695] [info] Saml -closeServer
[2023-10-31 08:02:52.696] [info] cleanUp - !this.IsWindowDestroyed
[2023-10-31 08:02:52.707] [info] Saml - 'close' state=1
[2023-10-31 08:02:52.708] [info] cancelAndExit state=1
[2023-10-31 08:02:52.709] [info] Saml -closeServer
[2023-10-31 08:02:52.711] [info] Saml - 'closed' state=4

fair_trade · ‎01-02-2024

Solved by installing package 'gnome-keyring'.