Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Netadmin-Japfa
New Contributor III

Failed on FortiClientVPN with SSO/SAML + MFA using O365 on Android

Hi,

 

I advice by technical support based on the ticket id 7990064 to find the answer in here, because i am using Forticlient free version so didn't come with Technical support.

 

I was implementing FortiClientVPN (free) with SSO/SAML + MFA using O365 Azure on Windows/IOS/Android clients and connect to a Fortigate-501E running FortiOS version 7.0.9,build0444 (GA) and it works very well.

 

The issue on Android client happen since both Android13 OS and FortiClient VPN apps v7.0.xx released.

 

When Forticlient VPN apps on Android trying to connect it will automatically redirect chrome browser to O365 azure login page, the authentication and MFA approval process works fine, but get stuck on browser with displaying "This site can't be reached...127.0.0.1 refused to connect" and it never loads the forticlient VPN apps.

Screenshot_20230530_112658_Chrome.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Troubleshooting taken, update chrome apps, changes default browser to firefox , downgrade forticlient vpn apps from v7.0.9 to v7.0.3 not solved the issue

 

Please advise and Thanks in advance!

18 REPLIES 18
Anthony_E
Community Manager
Community Manager

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Netadmin-Japfa
New Contributor III

Hi Anthony,

 

Thanks for your reply, I hope will be update from you soon.

Thanks,

kiri
Staff
Staff

Hi there,

1. despite the error, do you have access to internet?

2. this connection to localhost port 8020 I've never seen in this context
unless I'm missing something, that shouldn't be the case

https://tcp-udp-ports.com/port-8020.htm

3. if a FCT downgrade didn't do any good, I suspect some changes in Android 13 might have something to do with the issue

4. on Android/Ios, can you access the web SSL vpn portal? Does the auth work?

5. do you have the exact same issue on IOS/Windows?

6. I would do a browser trace and see what is it with 127.0.0.1:8020, who's instructing your client to try to connect here

https://learn.microsoft.com/en-us/azure/azure-portal/capture-browser-trace

7. enabled debug on FCT and see if you can find any relevant info there

Can't think of any other questions/suggestions.

Netadmin-Japfa
New Contributor III

Hi,
Sorry for my late reply because support just fixing my issue not able to reply to this thread.

Anyway here is my answer :

1. despite the error, do you have access to internet? 

    absolutely, because without internet access no vpn connection.

2. this connection to localhost port 8020 I've never seen in this context
unless I'm missing something, that shouldn't be the case

https://tcp-udp-ports.com/port-8020.htm

You should try it on lab environment so you can have the experience. 

3. if a FCT downgrade didn't do any good, I suspect some changes in Android 13 might have something to do with the issue. I think it is the root cause, some compatibility issue on Android13 with FCT that running SAML + MFA with Azure O365.


4. on Android/Ios, can you access the web SSL vpn portal? Does the auth work?
What do you mean the FCT web SSLVPN portal or Azure O365 portal? because we only actived Tunnel mode on SSLVPN with SAML, if you mean Azure O365 portal the auth work fine either on Android or IOS.


5. do you have the exact same issue on IOS/Windows?

No issue on IOS/Windows/MacOS

6. I would do a browser trace and see what is it with 127.0.0.1:8020, who's instructing your client to try to connect here
https://learn.microsoft.com/en-us/azure/azure-portal/capture-browser-trace

I read the article but no guide how to open developer tool in Chrome on Android. Is it possible?

 

7. enabled debug on FCT and see if you can find any relevant info there

Please guide me how to enabled debug in FCT on Android, because i cannt find it

Screenshot_20230606_100232_FortiClient VPN.jpg

kiri

Hi there,

Sorry for the late reply.

1. Sorry, I meant access to the resources you're trying to reach thru VPN.

Is there?

 

2. Lab is usually reserved for an issue that is reported by multiple users.

And sometimes that is impractical or impossible due to not being able to replicate the environment.

I will ask my team to see if there is an android 13 anywhere for a quick test.

I'm not promising anything.

 

4.Please see this, but I think it's not really necessary to test since the other platforms don't have this issue.

 

SSL VPN web mode

https://docs.fortinet.com/document/fortigate/6.4.13/administration-guide/100733/ssl-vpn-web-mode

 

5. That should be possible, please google it.

 

7. It looks like debug is n/a, maybe that can be done from the OS, I'm not familiar with that.

Netadmin-Japfa
New Contributor III

Hi, 
1. Sure, because its production environment.

2. I hope this issue will be acknowledge by your team even only some user reported.

 

Based on my experience running SSLVPN using SSO/SAML Azure AD with MFA since 2021, some issue will be fixed after new patches released.

 

Our workaround for android 13 client :
- Disabled SSO in FCT VPN settings.

- Authenticated to VPN using AD account. (no MFA)

 

Many Thanks

kiri

hi there,

I managed to test this for you.
SSLVPN with SAML (cloud FAC IDP) works fine for me.

FOS 7.2.4
FCT 7.0.9
Android 13, Pixel 6

The issue you're having might be specific to your device.
Have you tried other models?

 

MicrosoftTeams-image (2).jpg

MicrosoftTeams-image (1).jpg

  

MicrosoftTeams-image.jpg

Netadmin-Japfa
New Contributor III

Hi,


On your test do you enabled MFA?

Here are some client devices model having issue :
Xioami poco x3

Galaxy S23

Galaxy S22 Ultra
Galaxy A73
Galaxy S21
Galaxy A23


If you wish to futher check, i can create a test account on my azure AD and you can setup it on your device.

kiri

I missed that part.

I will test it with azure and mfa for you.

Please give me some time.

Labels
Top Kudoed Authors