You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to connect with a cookie I got from logging in via SSO and it's falling with ERROR: Could not get VPN configuration (HTTP status code). Looking at the verbose output, it seems to be failing with 403 Forbidden.
My SAML login seems to be successful so I'm fairly certain my SVPNCOOKIE value is correct. Any suggestions on how to further troubleshoot this?
Here is the verbose output:
❯ echo "<redacted>" | sudo openfortivpn -v -v -v <reacted>.edge.prod.fortisase.com:443 --cookie-on-stdin
DEBUG: ATTENTION: the output contains sensitive information such as the THE CLEAR TEXT PASSWORD.
DEBUG: openfortivpn 1.22.1
DEBUG: revision unavailable
WARN: Could not load configuration file "/etc/openfortivpn/config" (No such file or directory).
DEBUG: Configuration host = "<reacted>.edge.prod.fortisase.com"
DEBUG: Configuration realm = ""
DEBUG: Configuration port = "443"
DEBUG: Configuration password = ""
DEBUG: Resolving gateway host ip
DEBUG: Establishing TLS connection
DEBUG: server_addr: 154.52.6.113
DEBUG: server_port: 443
DEBUG: gateway_ip: 154.52.6.113
DEBUG: gateway_port: 443
DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG: Setting minimum protocol version to: 0x303.
DEBUG: Set SNI for TLS handshake: <reacted>.edge.prod.fortisase.com
DEBUG: Gateway certificate validation succeeded.
INFO: Connected to gateway.
DEBUG: Cookie: SVPNCOOKIE=<redacted>
INFO: Authenticated.
DEBUG: Cookie: SVPNCOOKIE=<redacted>
DEBUG: http_send:
GET /remote/index HTTP/1.1
Host: <reacted>.edge.prod.fortisase.com:443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: identity
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=<redacted>
Content-Length: 0
DEBUG: http_receive:
HTTP/1.1 403 Forbidden
Date: Tue, 29 Oct 2024 17:42:39 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
147
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /remote/index
on this server.<P>
<P>Additionally, a 400 Bad Request
error was encountered while trying to use an ErrorDocument to handle the request.
</BODY></HTML>
0
DEBUG: http_send:
GET /remote/fortisslvpn HTTP/1.1
Host: <reacted>.edge.prod.fortisase.com:443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: identity
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=<redacted>
Content-Length: 0
DEBUG: http_receive:
HTTP/1.1 403 Forbidden
Date: Tue, 29 Oct 2024 17:42:39 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
14d
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /remote/fortisslvpn
on this server.<P>
<P>Additionally, a 400 Bad Request
error was encountered while trying to use an ErrorDocument to handle the request.
</BODY></HTML>
0
INFO: Remote gateway has allocated a VPN.
DEBUG: server_addr: 154.52.6.113
DEBUG: server_port: 443
DEBUG: gateway_ip: 154.52.6.113
DEBUG: gateway_port: 443
DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG: Setting minimum protocol version to: 0x303.
DEBUG: Set SNI for TLS handshake: <reacted>.edge.prod.fortisase.com
DEBUG: Gateway certificate validation succeeded.
DEBUG: Retrieving configuration
DEBUG: http_send:
GET /remote/fortisslvpn_xml HTTP/1.1
Host: <reacted>.edge.prod.fortisase.com:443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: identity
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=<redacted>
Content-Length: 0
DEBUG: http_receive:
HTTP/1.1 403 Forbidden
Date: Tue, 29 Oct 2024 17:42:42 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
151
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /remote/fortisslvpn_xml
on this server.<P>
<P>Additionally, a 400 Bad Request
error was encountered while trying to use an ErrorDocument to handle the request.
</BODY></HTML>
ERROR: Could not get VPN configuration (HTTP status code).
INFO: Closed connection to gateway.
DEBUG: server_addr: 154.52.6.113
DEBUG: server_port: 443
DEBUG: gateway_ip: 154.52.6.113
DEBUG: gateway_port: 443
DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG: Setting minimum protocol version to: 0x303.
DEBUG: Set SNI for TLS handshake: <reacted>.edge.prod.fortisase.com
DEBUG: Gateway certificate validation succeeded.
DEBUG: http_send:
GET /remote/logout HTTP/1.1
Host: <reacted>.edge.prod.fortisase.com:443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: identity
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=<redacted>
Content-Length: 0
DEBUG: http_receive:
HTTP/1.1 307 Temporary Redirect
Date: Tue, 29 Oct 2024 17:42:45 GMT
Set-Cookie: SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
Location: https://login.microsoftonline.com/253415b6-4c2c-4044-9f44-436b6de06ef6/saml2?SAMLRequest=<redacted>&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=<redacted>
Content-Length: 0
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
INFO: Logged out.
The text was updated successfully, but these errors were encountered:
I'm trying to connect with a cookie I got from logging in via SSO and it's falling with
ERROR: Could not get VPN configuration (HTTP status code). Looking at the verbose output, it seems to be failing with403 Forbidden.My SAML login seems to be successful so I'm fairly certain my SVPNCOOKIE value is correct. Any suggestions on how to further troubleshoot this?
Here is the verbose output:
The text was updated successfully, but these errors were encountered: