Hi,
I advice by technical support based on the ticket id 7990064 to find the answer in here, because i am using Forticlient free version so didn't come with Technical support.
I was implementing FortiClientVPN (free) with SSO/SAML + MFA using O365 Azure on Windows/IOS/Android clients and connect to a Fortigate-501E running FortiOS version 7.0.9,build0444 (GA) and it works very well.
The issue on Android client happen since both Android13 OS and FortiClient VPN apps v7.0.xx released.
When Forticlient VPN apps on Android trying to connect it will automatically redirect chrome browser to O365 azure login page, the authentication and MFA approval process works fine, but get stuck on browser with displaying "This site can't be reached...127.0.0.1 refused to connect" and it never loads the forticlient VPN apps.
Troubleshooting taken, update chrome apps, changes default browser to firefox , downgrade forticlient vpn apps from v7.0.9 to v7.0.3 not solved the issue
Please advise and Thanks in advance!
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hi Anthony,
Thanks for your reply, I hope will be update from you soon.
Thanks,
Hi there,
1. despite the error, do you have access to internet?
2. this connection to localhost port 8020 I've never seen in this context
unless I'm missing something, that shouldn't be the case
https://tcp-udp-ports.com/port-8020.htm
3. if a FCT downgrade didn't do any good, I suspect some changes in Android 13 might have something to do with the issue
4. on Android/Ios, can you access the web SSL vpn portal? Does the auth work?
5. do you have the exact same issue on IOS/Windows?
6. I would do a browser trace and see what is it with 127.0.0.1:8020, who's instructing your client to try to connect here
https://learn.microsoft.com/en-us/azure/azure-portal/capture-browser-trace
7. enabled debug on FCT and see if you can find any relevant info there
Can't think of any other questions/suggestions.
Hi,
Sorry for my late reply because support just fixing my issue not able to reply to this thread.
Anyway here is my answer :
1. despite the error, do you have access to internet?
absolutely, because without internet access no vpn connection.
2. this connection to localhost port 8020 I've never seen in this context
unless I'm missing something, that shouldn't be the case
https://tcp-udp-ports.com/port-8020.htm
You should try it on lab environment so you can have the experience.
3. if a FCT downgrade didn't do any good, I suspect some changes in Android 13 might have something to do with the issue. I think it is the root cause, some compatibility issue on Android13 with FCT that running SAML + MFA with Azure O365.
4. on Android/Ios, can you access the web SSL vpn portal? Does the auth work?
What do you mean the FCT web SSLVPN portal or Azure O365 portal? because we only actived Tunnel mode on SSLVPN with SAML, if you mean Azure O365 portal the auth work fine either on Android or IOS.
5. do you have the exact same issue on IOS/Windows?
No issue on IOS/Windows/MacOS
6. I would do a browser trace and see what is it with 127.0.0.1:8020, who's instructing your client to try to connect here
https://learn.microsoft.com/en-us/azure/azure-portal/capture-browser-trace
I read the article but no guide how to open developer tool in Chrome on Android. Is it possible?
7. enabled debug on FCT and see if you can find any relevant info there
Please guide me how to enabled debug in FCT on Android, because i cannt find it
Hi there,
Sorry for the late reply.
1. Sorry, I meant access to the resources you're trying to reach thru VPN.
Is there?
2. Lab is usually reserved for an issue that is reported by multiple users.
And sometimes that is impractical or impossible due to not being able to replicate the environment.
I will ask my team to see if there is an android 13 anywhere for a quick test.
I'm not promising anything.
4.Please see this, but I think it's not really necessary to test since the other platforms don't have this issue.
SSL VPN web mode
https://docs.fortinet.com/document/fortigate/6.4.13/administration-guide/100733/ssl-vpn-web-mode
5. That should be possible, please google it.
7. It looks like debug is n/a, maybe that can be done from the OS, I'm not familiar with that.
Hi,
1. Sure, because its production environment.
2. I hope this issue will be acknowledge by your team even only some user reported.
Based on my experience running SSLVPN using SSO/SAML Azure AD with MFA since 2021, some issue will be fixed after new patches released.
Our workaround for android 13 client :
- Disabled SSO in FCT VPN settings.
- Authenticated to VPN using AD account. (no MFA)
Many Thanks
hi there,
I managed to test this for you.
SSLVPN with SAML (cloud FAC IDP) works fine for me.
FOS 7.2.4
FCT 7.0.9
Android 13, Pixel 6
The issue you're having might be specific to your device.
Have you tried other models?
Created on 06-15-2023 07:52 PM Edited on 06-16-2023 12:05 AM
Hi,
On your test do you enabled MFA?
Here are some client devices model having issue :
Xioami poco x3
Galaxy S23
Galaxy S22 Ultra
Galaxy A73
Galaxy S21
Galaxy A23
If you wish to futher check, i can create a test account on my azure AD and you can setup it on your device.
I missed that part.
I will test it with azure and mfa for you.
Please give me some time.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.