Hi,
I advice by technical support based on the ticket id 7990064 to find the answer in here, because i am using Forticlient free version so didn't come with Technical support.
I was implementing FortiClientVPN (free) with SSO/SAML + MFA using O365 Azure on Windows/IOS/Android clients and connect to a Fortigate-501E running FortiOS version 7.0.9,build0444 (GA) and it works very well.
The issue on Android client happen since both Android13 OS and FortiClient VPN apps v7.0.xx released.
When Forticlient VPN apps on Android trying to connect it will automatically redirect chrome browser to O365 azure login page, the authentication and MFA approval process works fine, but get stuck on browser with displaying "This site can't be reached...127.0.0.1 refused to connect" and it never loads the forticlient VPN apps.
Troubleshooting taken, update chrome apps, changes default browser to firefox , downgrade forticlient vpn apps from v7.0.9 to v7.0.3 not solved the issue
Please advise and Thanks in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi, did you ever get this resolved? We are also facing the same issue, only android devices. Running FortiOS 7.0.12 and FortiClient 7.2.0.0101 on Android. I thought it was something to do with SAML redirect.
set saml-redirect-port 8020
Hi, we still did'nt get the resolved but since microsoft has enforcing number matching in microsoft authenticator push notification for MFA. Somehow the FortiClient on some android v13 device it's working, but the redirect page still has error "This site can't be reached...127.0.0.1 refused to connect". Just skip the error page and reload the FortiClient apps.
I have the same problem on Android with JumpCloud SAML2 authentication configured with two factor authentication.
It's disappointing to pay tens of thousands of euro for all that hardware for our multiple locations and get a downgrade in features compared to the free OpenVPN server. And get pointed to the paid VPN client.
Authentication works on iOS, but not Android 13.
Authentication is configured with JumpCloud SAML2 and 2FA. Works on desktop and on the same Android device from Chrome browser. But not from FortiClient VPN ver. 7.2.0.0101.
After I fill in the password I get to the 2FA screen.
2FA fails with the same error on both options:
(a) JumpCloud Android push app for 2FA
(b) manual input of 6 character TOTP
See settings and error attached.
Hello @Netadmin-Japfa ,
Did it works when you disable the MFA? If yes, try disabling the hardware acceleration using following commands:
config system global
set sslvpn-kxp-hardware-acceleration disable
set sslvpn-cipher-hardware-acceleration disable
end
Hi @dbhavsar ,
We following your instruction but didn't solved the issue, some brand with android version 13 (xiomi, Redmi, oppo, samsung S10 and other) still having the issue.
for example i am using galaxy ultra s22 the Forticlient VPN + Azure MFA connection works fine after received patch update but this error below still shown.
Hi, I had a ticket with Fortinet open about this it was suggested to do the following:
On the FortiGate SSL VPN settings, redirection to an external browser is disabled by setting the saml-redirect-port to 0, so it will disable the redirection to an external browser.
I've not had time to test this but will be doing so shortly.
set saml-redirect-port 0
Created on 09-25-2023 06:26 PM Edited on 09-25-2023 06:34 PM
Hi @markd-bit ,
I've checked on my fortigate using FortiOS v7.0.12 in "config vpn ssl settings" there is no "set saml-redirect-port 0".
But I've tested 2 configurations :
- "set saml-redirect-port 8020" changes happen to ios client vpn cannot connected, on android13 client solved the error page in browser "This site can't be reached...127.0.0.1 refused to connect" (127.0.0.1:8020) but some android13 still cannot connect.
- "set saml-redirect-port 0" no changes happen,
Thanks anyway...
Created on 10-31-2023 01:07 PM Edited on 11-01-2023 02:46 PM
Hi,
The problem is that the Forticlient VPN App does not keep running in the background when focus another app, like the external browser or the google authenticathor (for 2FA purposes).
And so, 127.0.0.1:8020 (that is the port of the APP waiting for the return) does not exist anymore and then the error occours.
Even at the recents app, the Fortclient VPN disappears and is not possible to return to it.
Why not showing it at the recents app?
A simple solution for this is letting Forticlient VPN APP running as a service, so 127.0.0.1:8020 will always be there!
Based on the information in this thread already, I was able to get it to work.
In the FortiClient VPN settings, click on the Hamburger menu, then Android Settings.
Under Advanced look for Display over other apps (or something similar) and click to enable/allow that.
Once that's set, the application will remain available while the authentication does it's thing and returns from the SSO provider.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.