Technical Tip: SSL VPN web mode showing '403 Forbidden' error

SSL VPN web mode gets the error below when configured with SAML authentication.

Forbidden

You don't have permission to access /remote/saml/start on this server.

Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request.

Forbidden
You don't have permission to access /remote/saml/start on this server
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

SSL VPN Debug Error:

[865:root:219]SSL state:fatal decode error (192.168.141.179)
[865:root:0]ap_read,105, error=1, errno=0 ssl 0x7f75eb5000 Success. error:0A000126:SSL routines::unexpected eof while reading
[865:root:219]sslvpn_read_request_common,863, ret=-1 error=-1, sconn=0x7f75ed1800.
[865:root:219]Destroy sconn 0x7f75ed1800, connSize=0. (root)
[864:root:21b]Timeout for connection 0x7f76c36800.

[864:root:21b]Destroy sconn 0x7f76c36800, connSize=0. (root)
[864:root:21b]SSL state:warning close notify (192.168.141.179)

1. Make sure web-mode is enabled in the SSL VPN portal:

config vpn ssl web portal

    edit "full-access"

        set web-mode enable

Warning:

Note that the legacy SSL VPN web mode feature is disabled by the global sslvpn-web-mode setting.

2. As the warning displayed, web mode is disabled globally so can not enable it in the full-access portal directly.

Enable the web-mode globally:

config sys global

    set sslvpn-web-mode enable

end

The web mode of SSL VPN should work as expected after enabling web-mode for specific portals. To enable the web mode for specific portals run the command as shown in step 1. 

If the issue persists, contact the TAC team.