[systemsettings] [Bug 509167] New: Network Manager's openconnect anyconnect plugin stoped to work with oath2 in Palo Alto Firewall

Fri, 05 Sep 2025 12:12:49 -0700 

https://bugs.kde.org/show_bug.cgi?id=509167

            Bug ID: 509167
           Summary: Network Manager's openconnect anyconnect plugin stoped
                    to work with oath2 in Palo Alto Firewall
    Classification: Applications
           Product: systemsettings
      Version First 6.4.4
       Reported In:
          Platform: Fedora RPMs
                OS: Linux
            Status: REPORTED
          Severity: grave
          Priority: NOR
         Component: kcm_networkmanagement
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected]
  Target Milestone: ---

SUMMARY

After PaloAlto OS update, oauth2 stoped to receive token and log in at VPN. It
was working well one day earlier but before that update it stoped to work. 

It needs to be configured to get 2 facts auth by microsoft. It opens an window
but gets error. 
There are no problem at Firewall because GlobalProtect-openconnect client
works. Networkmanager link don't. 

STEPS TO REPRODUCE
1. you must test with palo alto and 2 fact enabled. Log to latest Paloalto
Firewall version
2. connect to the portal
3. enter your password at Microsoft's Windows


OBSERVED RESULT
4. Get error:
"Authentication Failed
Please contact the administrator for further assistance
Server info:
Error code: -1"

EXPECTED RESULT
Login and minimize window dialog of microsoft

SOFTWARE/OS VERSIONS

Linux/KDE Plasma:  Fedora 42
KDE Plasma Version: 6.4.4
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION
trying to debug 
sudo openconnect  --useragent=AnyConnect my.vpm.portal.com
--protocol=anyconnect --dump-http-traffic -vvv                     ░▒▓ 1 ✘ 
12:42:19  
POST https://my.vpm.portal.com/
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite
(TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> POST / HTTP/1.1
> Host: my.vpm.portal.com
> User-Agent: AnyConnect
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: 
> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2olp6tzq5NjxNSAfskGBlBEW6P9NIEW+q0jm8IpVCZEw6jJ6dWyxAkgjqcLmyXz0nZfwmW3Fkbi+BEpgrUvv0A==
> X-AnyConnect-STRAP-DH-Pubkey: 
> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+KZ0ZH/C2zPNUlDBc+XgUbFO3DCXOVHTOfd5AaVcnZu1d0SlhVHOyZ8Zwz1SHpQCEl3mPwLKM7AVlfFodpGjgQ==
> X-Pad: 00000000000000000000000000000000000000000000000
> Content-Type: application/xml; charset=utf-8
> Content-Length: 401
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init" aggregate-auth-version="2"><version 
> who="vpn">v9.12.git.231.c327bdf-0.fc42</version><device-id>linux-64</device-id><capabilities><auth-method>single-sign-on-v2</auth-method><auth-method>single-sign-on-external-browser</auth-method></capabilities><group-access>https://my.vpm.portal.com/</group-access></config-auth>
Got HTTP response: HTTP/1.1 302 Found
Date: Fri, 05 Sep 2025 16:00:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 173
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Location: /global-protect/login.esp
Set-Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7; Path=/; SameSite=Lax;
HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';
img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (173)
< <script LANGUAGE="JavaScript">
< window.location="/global-protect/login.esp";
< </script>
< <html><head></head><body><p>JavaScript must be enabled to
continue!</p></body></html>
< 
GET https://my.vpm.portal.com/
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite
(TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> GET / HTTP/1.1
> Host: my.vpm.portal.com
> User-Agent: AnyConnect
> Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: 
> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2olp6tzq5NjxNSAfskGBlBEW6P9NIEW+q0jm8IpVCZEw6jJ6dWyxAkgjqcLmyXz0nZfwmW3Fkbi+BEpgrUvv0A==
> X-AnyConnect-STRAP-DH-Pubkey: 
> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+KZ0ZH/C2zPNUlDBc+XgUbFO3DCXOVHTOfd5AaVcnZu1d0SlhVHOyZ8Zwz1SHpQCEl3mPwLKM7AVlfFodpGjgQ==
> X-Pad: 0000000000000000000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 0
> 
Got HTTP response: HTTP/1.1 302 Found
Date: Fri, 05 Sep 2025 16:00:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 173
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Location: /global-protect/login.esp
Set-Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7; Path=/; SameSite=Lax;
HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';
img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (173)
< <script LANGUAGE="JavaScript">
< window.location="/global-protect/login.esp";
< </script>
< <html><head></head><body><p>JavaScript must be enabled to
continue!</p></body></html>
< 
GET https://my.vpm.portal.com/global-protect/login.esp
> GET /global-protect/login.esp HTTP/1.1
> Host: my.vpm.portal.com
> User-Agent: AnyConnect
> Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: 
> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2olp6tzq5NjxNSAfskGBlBEW6P9NIEW+q0jm8IpVCZEw6jJ6dWyxAkgjqcLmyXz0nZfwmW3Fkbi+BEpgrUvv0A==
> X-AnyConnect-STRAP-DH-Pubkey: 
> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+KZ0ZH/C2zPNUlDBc+XgUbFO3DCXOVHTOfd5AaVcnZu1d0SlhVHOyZ8Zwz1SHpQCEl3mPwLKM7AVlfFodpGjgQ==
> X-Pad: 0000000000000000000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 0
> 
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 05 Sep 2025 16:00:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 676
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=a9ac43d4-da1e-42f1-b7b9-066416d00777; Path=/; SameSite=Lax;
HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';
img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (676)
< <html>
<    
<script>window.location="https:\/\/login.microsoftonline.com\/3737ddf7-0b60-4f73-a0ce-2abe5bb94cf4\/saml2?SAMLRequest=lZLBasMwDIZfJfie2HWSZjVNIGsPK3QsNNkOuwzbUVpDYne2M%2Fb4a9qNdZfCQBehn0%2FSLy0dH%2FojK0d%2F0Dt4H8H54HPotWPnQo5Gq5nhTjmm%2BQCOecnq8nHLaETY0RpvpOlRUDoH1iujV0a7cQBbg%2F1QEp532xwdvD86hjEfPWivJI9GrQZoxSGSZoiEZUkS44lKCa4rXK5qFKxPkyjNJ%2BYvoTd7paNBSWuc6bzRvdIwQXCcxVnbdllIxJyESZfFIScSQsoFpEIsEtkleFqJomCzztGbaEF0p2hnouMpyWJIZcwFuaOLWSszOMmcG2Gjnefa54gSmoZkEZK0mc0ZIYxmryiovh24V7pVen%2FbLnEROfbQNFVYPdUNCl7AuvOKJwEqltOE7NzYXp3hNpb%2FeI%2BKfzq9xFf9ikv29xeKLw%3D%3D\u0026RelayState=SHgAAGBgtmhhOWFjNDNkNC1kYTFlLTQyZjEtYjdiOS0wNjY0MTZkMDA3Nzcw";</script></html>
XML response has no "auth" node
Failed to complete authentication

 sudo openconnect --useragent=AnyConnect --cookieonly my.vpm.portal.com        
                                                 ░▒▓ ✔  13:02:37  
POST https://my.vpm.portal.com/
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite
(TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 302 Found
GET https://my.vpm.portal.com/
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite
(TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 302 Found
GET https://my.vpm.portal.com/global-protect/login.esp
XML response has no "auth" node
Failed to complete authentication

### crashing because it is not accepting and getting token from server:
sudo journalctl -f -u NetworkManager.service
Sep 05 13:13:26 z390 NetworkManager[1545]: <warn>  [1757088806.7058]
vpn[0x555aa6169db0,c20e09aa-ac30-465b-9e56-8795e419563b,"UNIMEDBH"]: secrets:
failed to request VPN secrets #3: User canceled the secrets request.
Sep 05 13:13:26 z390 NetworkManager[1545]: <debug> [1757088806.7059]
vpn[0x555aa6169db0,c20e09aa-ac30-465b-9e56-8795e419563b,"UNIMEDBH"]: set state:
failed (was need-auth)

# viewlog checkbox not working well but: 

POST
https://myfirewall.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with myfirewall.com
Connected to HTTPS on myfirewall.com with ciphersuite
(TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 05 Sep 2025 16:41:41 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1592
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=dd766cbe-8af3-4142-b64a-488b58ea273e; Path=/; SameSite=Lax;
HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';
img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (1592)
SAML REDIRECT authentication is required via
https://login.microsoftonline.com/3737ddf7-0b60-4f73-a0ce-2abe5bb94cf4/saml2?SAMLRequest=lZJNa8MwDIb%2FSvA9sfPdmiaQtYcVOhaabIddhu0orSGxO9sZ%2B%2Flr2o1tl8JAF6GXR9IrrSwbhxOtJndUe3ibwDrvYxyUpZdCgSajqGZWWqrYCJY6QZvqYUejgNCT0U4LPSCvshaMk1qttbLTCKYB8y4FPO13BTo6d7IUYzY5UE4KFkxKjtDxYyD0GHBDkyTGMzUiuKlxtW6QtzlPIhWbmT%2BEQR%2BkCkYpjLa6d1oNUsEMwXEe513X5z7hGfGTPo99RgT4EeOQcr5MRJ%2FgeaUIedtNgV4h68MFX0K4SCORAwkZi3gKIhVdR9IsPsusnWCrrGPKFSgiUeqTpU%2FSNsxoEp7jBXn1lwN3UnVSHW7bxa8iS%2B%2Fbtvbrx6ZF3jMYe1nxLEDlap6QXhqbX2e4jWXf3qPyn06v8K9%2B5TX7%2BwvlJw%3D%3D&RelayState=3nkAAGBgtmhkZDc2NmNiZS04YWYzLTQxNDItYjY0YS00ODhiNThlYTI3M2Uw
POST https://myfirewall.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 512 status code 512
Date: Fri, 05 Sep 2025 16:41:42 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=7f28b4fd-49bc-47e0-8fb9-863b296c9355; Path=/; SameSite=Lax;
HttpOnly; Secure
X-Frame-Options: DENY
X-Private-Pan-Globalprotect: auth-failed
HTTP body length:  (0)
Unexpected empty response body from server

Authentication Failed
Please contact the administrator for further assistance
Server info:
Error code: -1

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to