Mobile VPN with SSL: 403 Forbidden error
Hello,
I've recently configured SSLVPN with SAML authentication using this guide:
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/azure-saml_ssl-vpn.html
From time to time, our users get the following 403 error (especially the first time they are authenthenticating, thereafter it happens sporadically)
In the Firewall, I found the following relevant logs:
,C03904C857A4C,db,"FWStatus, dnip_earlydrop_process, DNIP number of office.com has decreased below WATERMARK[250], pri=3, proc_id=fqdnd, msg_id=",15256985,2025-01-07 11:23:21 ,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15267913,2025-01-07 11:26:58 ,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 10 : certificate has expired) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272497,2025-01-07 11:28:33 ,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 18 : self-signed certificate) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272496,2025-01-07 11:28:33 ,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15273869,2025-01-07 11:28:58 ,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:29:31 [error] 7211$0: *112997 directory index of ""/usr/share/web/none/"" is forbidden, client: XX.XXX.XXX.XXX, server: , pri=3, proc_id=wrapper, msg_id=",15275559,2025-01-07 11:29:31 ,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15278171,2025-01-07 11:30:20 ,C03904C857A4C,db,"FWStatus, ACS: no client associated for the request, pri=3, proc_id=samld, msg_id=",15282057,2025-01-07 11:31:43 ,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:31:44 [error] 7211$0: *113003 open() ""/usr/share/web/none/favicon.ico"" failed (2: No such file or directory), client: XX.XXX.XXX.XXX, server: , pri=3, proc_id=wrapper, msg_id=",15282070,2025-01-07 11:31:44 ,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:32:02 [error] 7211$0: *113006 directory index of ""/usr/share/web/none/"" is forbidden, client: XX.XXX.XXX.XXX, server: , pri=3, proc_id=wrapper, msg_id=",15282654,2025-01-07 11:32:02 ,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15284911,2025-01-07 11:32:54 ,C03904C857A4C,db,"FWStatus, nginx: 2025/01/07 12:33:12 [error] 7211$0: *113013 open() ""/usr/share/web/none/favicon.ico"" failed (2: No such file or directory), client: XX.XXX.XXX.XXX, server: , pri=3, proc_id=wrapper, msg_id=",15285738,2025-01-07 11:33:12 ,C03904C857A4C,db,"FWStatus, ACS: user john.doe@company.com from sslvpn_client logged in, pri=6, proc_id=samld, msg_id=",15285737,2025-01-07 11:33:12
I'm most interested in the error entries regarding the certificate:
,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 10 : certificate has expired) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272497,2025-01-07 11:28:33 ,C03904C857A4C,db,"FWStatus, Peer certificate preverify failed (err 18 : self-signed certificate) for [/C:US/ST:California/L:Menlo Park/O:Internet.org/CN:*.internet.org] (cert 0x2eb2fc90, store 0x2dc1a8c0), pri=3, proc_id=pxy, msg_id=",15272496,2025-01-07 11:28:33
I've tried to update the Trusted CA certificates for proxies in the Firebox System Manager, but as far as I can tell there is no certificate which responds to this description.
The other error which happens a lot (also on other times) is this one:,C03904C857A4C,db,"FWStatus, FQDND:idomain_ip_refresh_complete::1716: Assertion failed!, pri=3, proc_id=fqdnd, msg_id=",15267913,2025-01-07 11:26:58
I also got a similar Fault report - I've sent it to watchguard but not sure what els I could  do with this.
So to summarize: how could I resolve this 403 error which happens from time totime?
FYI I'm using Mobile VPN with SSL client 12.11
Comments
Hi @wouterVE
I'd suggest opening a support case for this issue. You can do so via the support center link at the top right of this page.
-James Carson
WatchGuard Customer Support
I experienced this issue when the server name used in the Mobile VPN client did not match the host name in the SAML configuration. A prime example would be using the IP address in the Mobile VPN client while the SAML configuration uses a FQDN.
Please ensure the Mobile VPN client is connecting to the identical value of the Host Name in the SAML configuration and see if it resolves the issue.
Hi @james.carson
Thanks for your suggestion, I've submitted a support case.
@John_Sells
I've checked and the clients are using the correct FQDN as configured in the saml configuration (i.e. https://connect.company.com). When they encounter this error and immediately try again with the same paramaters, it does succeeds so there must be something else on the server side imo.
I did notice something on Entra on the singe sign on config (enterprise applications-> Watchguard vpn -> Single sign-on - 5) Test single sign-on with watchguard)
When I perform this test on an unsupported browser (e.g. firefox) I got the exact same 403 Forbidden: Invallid session error as in my first screenshot.
The URL of this page is https://connect.company.com/auth/saml/acs
So I'm wondering whether this is something client related after all? e.g. that the underlying browser to show this pop-up is not the correct version or something like that?
Hey @wouterVE any update on this from support? We just rolled out SAML authentication and are seeing the same issue with some users. Same logs, etc. I just opened a ticket but wondered if you have come to a conclusion since you beat me to it by about 20 days.
Hi @netwatch2077
No, we haven't found a real conclusion. They suggested that the users were using the IP instead of the URL which leads to this error (you can try it yourself).
Not sure whether this is the real cause as I've witnessed users logging in using the URL and receiving this same error. Anyway, we are now 1 month into deployment and haven't received many reports of this error anymore. I think it happens especially the first time users are authenticating. After this, it seldom re-appears.
I'd be happy to receive updates from your side if you've found a real cause
@wouterVE and @netwatch2077 - I seem to be having the same issue on an M270 just upgraded to 12.11. I even factory reset the device with a fresh config, enabled SSLVPN with Firebox-DB as the authentication source, and even then, I only get a 403 Forbidden page when trying to access the SSLVPN signin page. Please post if you end up finding any solution. I will also be opening a case with WatchGuard support.
See this Known Issue:
On Fireboxes that run Fireware v12.11, IDP-initiated SAML logins to the Access Portal fail.
Access Portal logins fail in 12.11 with "403 Forbidden Invalid Session" error
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA1Vr0000009hc1KAA&lang=en_US
In Traffic Monitor, you see this log message:
2024-11-14 08:29:21 samld ACS: no client associated for the request Debug
In the web browser, you see this error message:
403 Forbidden Invalid Session
To workaround this issue:
Hi,
has mentioned here https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/managed/mvpn_client_ssl.html , "In Fireware v12.11 and higher, the Mobile VPN with SSL client download page is removed from the Firebox", then you need to download the new client from watchguard and update it on your computer to connect successfully with the 12.11 firmware
Today, I've noticed there is a new firmware available 12.11.1 and according to the release notes, this problem should be solved.
(this is the same FBX as @Bruce_Briggs mentioned earlier)
So I guess we should upgrade our firewall to solve this issue.
It would be the first time I'll do this manually - does the firewall needs a reboot after installation?
The firewall will automatically reboot as part of a firmware upgrade.
I think this issue is still not resolved - in the logs I am getting the following and we have v12.11.1 installed and rebooted
2025-02-19 16:04:30 M2-ORIGINAL-PASSIVE wrapper nginx: 2025/02/19 16:04:30 [error] 4910#0: *58980 directory index of "/usr/share/web/none/" is forbidden, client: xxxxxxxxxxx server: Debug
Hi @Gee,
I'd suggest opening a support case via the support center button at the top right of the page.
-James Carson
WatchGuard Customer Support
Gee - Any update on your wrapper nginx error? We have the same thing since the upgrade.
@Gee @Matt_FTS
OK so you both still receive the same >
403 Forbidden errorfrom time to time when logging in?I haven't updated yet - guess I'll wait for a while.
We are also newly running into the same error logs while trying to access the OWA through the Access Portal. Version 12.11.1
2025-03-20 11:34:10 Master wrapper nginx: 2025/03/20 11:34:10 [error] 10182#0: *25168 directory index of "/usr/share/web/none/" is forbidden, client: 172.56.11.81, server:
Hi @RACR
I'd suggest opening a support case. You can do so via the support center link at the top right of this page.
There's quite a few moving parts with on-prem OWA via the access portal.
-James Carson
WatchGuard Customer Support
Did anyone get to the bottom of this?
I have seen this error myself on two different firewalls now. The first time I raised a support call it suddenly just started working so I never found out what the fix was.
I am seeing it again now on another one that we are trying to roll out SAML to.
Just wondered if anyone could help before I raise a support ticket.
Seems like a very unstable recurring bug to me.
Hi @SmoothOperator
There's quite a few moving pieces, so many of these situations are unique. If you haven't done so, I'd suggest opening a support case.
-James Carson
WatchGuard Customer Support
@SmoothOperator
I'm still on 12.11 but I have the impression this error only occurs once per user. In the last months, I haven't had any complaints from users. Only last week I've noticed for a new user the same error popped up on his first login attempt, but that's the only thing.
So my guess it's only rocky when you deploy this SAML auth but once all users have logged in at least once, the problem sort of 'disappears'
kr
wouter
I am seeing this error in the Fireware logs running Fireware 12.11.4 and the 12.11.4 SSLVPN client, and no SAML setup.