Mobile VPN with SSL: 403 Forbidden error

wouterVE

Hello,
I've recently configured SSLVPN with SAML authentication using this guide:
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/azure-saml_ssl-vpn.html

From time to time, our users get the following 403 error (especially the first time they are authenthenticating, thereafter it happens sporadically)

In the Firewall, I found the following relevant logs:

,C03904C857A4C,db,"FWStatus, dnip_earlydrop_process, DNIP number of office.com has decreased below WATERMARK[250], pri=3, proc_id=fqdnd, msg_id=",15256985,2025-01-07 11:23:21
,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15267913,2025-01-07 11:26:58
,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 10 : certificate has expired) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272497,2025-01-07 11:28:33
,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 18 : self-signed certificate) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272496,2025-01-07 11:28:33
,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15273869,2025-01-07 11:28:58
,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:29:31 [error] 7211$0: *112997 directory index of ""/usr/share/web/none/"" is forbidden, client: XX.XXX.XXX.XXX, server:  , pri=3, proc_id=wrapper, msg_id=",15275559,2025-01-07 11:29:31
,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15278171,2025-01-07 11:30:20
,C03904C857A4C,db,"FWStatus, ACS: no client associated for the request, pri=3, proc_id=samld, msg_id=",15282057,2025-01-07 11:31:43
,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:31:44 [error] 7211$0: *113003 open() ""/usr/share/web/none/favicon.ico"" failed (2: No such file or directory), client: XX.XXX.XXX.XXX, server:  , pri=3, proc_id=wrapper, msg_id=",15282070,2025-01-07 11:31:44
,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:32:02 [error] 7211$0: *113006 directory index of ""/usr/share/web/none/"" is forbidden, client: XX.XXX.XXX.XXX, server:  , pri=3, proc_id=wrapper, msg_id=",15282654,2025-01-07 11:32:02
,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15284911,2025-01-07 11:32:54
,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:33:12 [error] 7211$0: *113013 open() ""/usr/share/web/none/favicon.ico"" failed (2: No such file or directory), client: XX.XXX.XXX.XXX, server:  , pri=3, proc_id=wrapper, msg_id=",15285738,2025-01-07 11:33:12
,C03904C857A4C,db,"FWStatus, ACS: user john.doe@company.com from sslvpn_client logged in, pri=6, proc_id=samld, msg_id=",15285737,2025-01-07 11:33:12

I'm most interested in the error entries regarding the certificate:

,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 10 : certificate has expired) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272497,2025-01-07 11:28:33
,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 18 : self-signed certificate) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272496,2025-01-07 11:28:33

I've tried to update the Trusted CA certificates for proxies in the Firebox System Manager, but as far as I can tell there is no certificate which responds to this description.

The other error which happens a lot (also on other times) is this one:
,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15267913,2025-01-07 11:26:58

I also got a similar Fault report - I've sent it to watchguard but not sure what els I could do with this.

So to summarize: how could I resolve this 403 error which happens from time totime?

FYI I'm using Mobile VPN with SSL client 12.11

james.carson

Hi @wouterVE
I'd suggest opening a support case for this issue. You can do so via the support center link at the top right of this page.

John_Sells

I experienced this issue when the server name used in the Mobile VPN client did not match the host name in the SAML configuration. A prime example would be using the IP address in the Mobile VPN client while the SAML configuration uses a FQDN.

Please ensure the Mobile VPN client is connecting to the identical value of the Host Name in the SAML configuration and see if it resolves the issue.

wouterVE

Hi @james.carson
Thanks for your suggestion, I've submitted a support case.

@John_Sells
I've checked and the clients are using the correct FQDN as configured in the saml configuration (i.e. https://connect.company.com). When they encounter this error and immediately try again with the same paramaters, it does succeeds so there must be something else on the server side imo.

I did notice something on Entra on the singe sign on config (enterprise applications-> Watchguard vpn -> Single sign-on - 5) Test single sign-on with watchguard)

When I perform this test on an unsupported browser (e.g. firefox) I got the exact same 403 Forbidden: Invallid session error as in my first screenshot.

The URL of this page is https://connect.company.com/auth/saml/acs

So I'm wondering whether this is something client related after all? e.g. that the underlying browser to show this pop-up is not the correct version or something like that?

netwatch2077

Hey @wouterVE any update on this from support? We just rolled out SAML authentication and are seeing the same issue with some users. Same logs, etc. I just opened a ticket but wondered if you have come to a conclusion since you beat me to it by about 20 days.

wouterVE

Hi @netwatch2077
No, we haven't found a real conclusion. They suggested that the users were using the IP instead of the URL which leads to this error (you can try it yourself).
Not sure whether this is the real cause as I've witnessed users logging in using the URL and receiving this same error. Anyway, we are now 1 month into deployment and haven't received many reports of this error anymore. I think it happens especially the first time users are authenticating. After this, it seldom re-appears.

I'd be happy to receive updates from your side if you've found a real cause

P1Chris

@wouterVE and @netwatch2077 - I seem to be having the same issue on an M270 just upgraded to 12.11. I even factory reset the device with a fresh config, enabled SSLVPN with Firebox-DB as the authentication source, and even then, I only get a 403 Forbidden page when trying to access the SSLVPN signin page. Please post if you end up finding any solution. I will also be opening a case with WatchGuard support.

Bruce_Briggs

See this Known Issue:

On Fireboxes that run Fireware v12.11, IDP-initiated SAML logins to the Access Portal fail.

Access Portal logins fail in 12.11 with "403 Forbidden Invalid Session" error
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA1Vr0000009hc1KAA&lang=en_US

In Traffic Monitor, you see this log message:
2024-11-14 08:29:21 samld ACS: no client associated for the request Debug

In the web browser, you see this error message:
403 Forbidden Invalid Session

To workaround this issue:

In a web browser, go to the Access Portal URL (https://Host Name or Firebox IP address).
Select AuthPoint-SAML.
Type your email address or AuthPoint user name. Click Next.
If required, in the Password text box, type your password.
Click Send Push.
Approve the authentication request that is sent to your mobile device. You are logged in to the Access Portal.

nkhwr

@P1Chris said:
@wouterVE and @netwatch2077 - I seem to be having the same issue on an M270 just upgraded to 12.11. I even factory reset the device with a fresh config, enabled SSLVPN with Firebox-DB as the authentication source, and even then, I only get a 403 Forbidden page when trying to access the SSLVPN signin page. Please post if you end up finding any solution. I will also be opening a case with WatchGuard support.

Hi,

has mentioned here https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/managed/mvpn_client_ssl.html , "In Fireware v12.11 and higher, the Mobile VPN with SSL client download page is removed from the Firebox", then you need to download the new client from watchguard and update it on your computer to connect successfully with the 12.11 firmware

wouterVE

Today, I've noticed there is a new firmware available 12.11.1 and according to the release notes, this problem should be solved.

This release resolves an issue that caused a 403 Forbidden – Invalid Session message to appear when a user initiated SAML login from the IdP provider. [FBX-28458]

(this is the same FBX as @Bruce_Briggs mentioned earlier)

So I guess we should upgrade our firewall to solve this issue.

It would be the first time I'll do this manually - does the firewall needs a reboot after installation?

Bruce_Briggs

The firewall will automatically reboot as part of a firmware upgrade.

Gee

I think this issue is still not resolved - in the logs I am getting the following and we have v12.11.1 installed and rebooted

2025-02-19 16:04:30 M2-ORIGINAL-PASSIVE wrapper nginx: 2025/02/19 16:04:30 [error] 4910#0: *58980 directory index of "/usr/share/web/none/" is forbidden, client: xxxxxxxxxxx server: Debug

james.carson

Hi @Gee,

I'd suggest opening a support case via the support center button at the top right of the page.

Matt_FTS

Gee - Any update on your wrapper nginx error? We have the same thing since the upgrade.

wouterVE

@Gee @Matt_FTS
OK so you both still receive the same > 403 Forbidden error from time to time when logging in?

I haven't updated yet - guess I'll wait for a while.