Bug 509167

Summary: Network Manager's openconnect anyconnect plugin stoped to work with oath2 in Palo Alto Firewall
Product: [Applications] systemsettings Reporter: Alan Aguinaga <alansenairj>
Component: kcm_networkmanagementAssignee: Plasma Bugs List <plasma-bugs>
Status: NEEDSINFO WAITINGFORINFO    
Severity: grave CC: jgrulich, nate
Priority: NOR    
Version First Reported In: 6.4.4   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: problem

Description Alan Aguinaga 2025-09-05 16:44:10 UTC 
SUMMARY

After PaloAlto OS update, oauth2 stoped to receive token and log in at VPN. It was working well one day earlier but before that update it stoped to work. 

It needs to be configured to get 2 facts auth by microsoft. It opens an window but gets error. 
There are no problem at Firewall because GlobalProtect-openconnect client works. Networkmanager link don't. 

STEPS TO REPRODUCE
1. you must test with palo alto and 2 fact enabled. Log to latest Paloalto Firewall version
2. connect to the portal
3. enter your password at Microsoft's Windows


OBSERVED RESULT
4. Get error:
"Authentication Failed
Please contact the administrator for further assistance
Server info:
Error code: -1"

EXPECTED RESULT
Login and minimize window dialog of microsoft

SOFTWARE/OS VERSIONS

Linux/KDE Plasma:  Fedora 42
KDE Plasma Version: 6.4.4
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION
trying to debug 
sudo openconnect  --useragent=AnyConnect my.vpm.portal.com --protocol=anyconnect --dump-http-traffic -vvv                     ░▒▓ 1 ✘  12:42:19  
POST https://my.vpm.portal.com/
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> POST / HTTP/1.1
> Host: my.vpm.portal.com
> User-Agent: AnyConnect
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2olp6tzq5NjxNSAfskGBlBEW6P9NIEW+q0jm8IpVCZEw6jJ6dWyxAkgjqcLmyXz0nZfwmW3Fkbi+BEpgrUvv0A==
> X-AnyConnect-STRAP-DH-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+KZ0ZH/C2zPNUlDBc+XgUbFO3DCXOVHTOfd5AaVcnZu1d0SlhVHOyZ8Zwz1SHpQCEl3mPwLKM7AVlfFodpGjgQ==
> X-Pad: 00000000000000000000000000000000000000000000000
> Content-Type: application/xml; charset=utf-8
> Content-Length: 401
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init" aggregate-auth-version="2"><version who="vpn">v9.12.git.231.c327bdf-0.fc42</version><device-id>linux-64</device-id><capabilities><auth-method>single-sign-on-v2</auth-method><auth-method>single-sign-on-external-browser</auth-method></capabilities><group-access>https://my.vpm.portal.com/</group-access></config-auth>
Got HTTP response: HTTP/1.1 302 Found
Date: Fri, 05 Sep 2025 16:00:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 173
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Location: /global-protect/login.esp
Set-Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (173)
< <script LANGUAGE="JavaScript">
< window.location="/global-protect/login.esp";
< </script>
< <html><head></head><body><p>JavaScript must be enabled to continue!</p></body></html>
< 
GET https://my.vpm.portal.com/
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> GET / HTTP/1.1
> Host: my.vpm.portal.com
> User-Agent: AnyConnect
> Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2olp6tzq5NjxNSAfskGBlBEW6P9NIEW+q0jm8IpVCZEw6jJ6dWyxAkgjqcLmyXz0nZfwmW3Fkbi+BEpgrUvv0A==
> X-AnyConnect-STRAP-DH-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+KZ0ZH/C2zPNUlDBc+XgUbFO3DCXOVHTOfd5AaVcnZu1d0SlhVHOyZ8Zwz1SHpQCEl3mPwLKM7AVlfFodpGjgQ==
> X-Pad: 0000000000000000000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 0
> 
Got HTTP response: HTTP/1.1 302 Found
Date: Fri, 05 Sep 2025 16:00:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 173
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Location: /global-protect/login.esp
Set-Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (173)
< <script LANGUAGE="JavaScript">
< window.location="/global-protect/login.esp";
< </script>
< <html><head></head><body><p>JavaScript must be enabled to continue!</p></body></html>
< 
GET https://my.vpm.portal.com/global-protect/login.esp
> GET /global-protect/login.esp HTTP/1.1
> Host: my.vpm.portal.com
> User-Agent: AnyConnect
> Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2olp6tzq5NjxNSAfskGBlBEW6P9NIEW+q0jm8IpVCZEw6jJ6dWyxAkgjqcLmyXz0nZfwmW3Fkbi+BEpgrUvv0A==
> X-AnyConnect-STRAP-DH-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+KZ0ZH/C2zPNUlDBc+XgUbFO3DCXOVHTOfd5AaVcnZu1d0SlhVHOyZ8Zwz1SHpQCEl3mPwLKM7AVlfFodpGjgQ==
> X-Pad: 0000000000000000000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 0
> 
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 05 Sep 2025 16:00:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 676
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=a9ac43d4-da1e-42f1-b7b9-066416d00777; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (676)
< <html>
<     <script>window.location="https:\/\/login.microsoftonline.com\/3737ddf7-0b60-4f73-a0ce-2abe5bb94cf4\/saml2?SAMLRequest=lZLBasMwDIZfJfie2HWSZjVNIGsPK3QsNNkOuwzbUVpDYne2M%2Fb4a9qNdZfCQBehn0%2FSLy0dH%2FojK0d%2F0Dt4H8H54HPotWPnQo5Gq5nhTjmm%2BQCOecnq8nHLaETY0RpvpOlRUDoH1iujV0a7cQBbg%2F1QEp532xwdvD86hjEfPWivJI9GrQZoxSGSZoiEZUkS44lKCa4rXK5qFKxPkyjNJ%2BYvoTd7paNBSWuc6bzRvdIwQXCcxVnbdllIxJyESZfFIScSQsoFpEIsEtkleFqJomCzztGbaEF0p2hnouMpyWJIZcwFuaOLWSszOMmcG2Gjnefa54gSmoZkEZK0mc0ZIYxmryiovh24V7pVen%2FbLnEROfbQNFVYPdUNCl7AuvOKJwEqltOE7NzYXp3hNpb%2FeI%2BKfzq9xFf9ikv29xeKLw%3D%3D\u0026RelayState=SHgAAGBgtmhhOWFjNDNkNC1kYTFlLTQyZjEtYjdiOS0wNjY0MTZkMDA3Nzcw";</script></html>
XML response has no "auth" node
Failed to complete authentication

 sudo openconnect --useragent=AnyConnect --cookieonly my.vpm.portal.com                                                          ░▒▓ ✔  13:02:37  
POST https://my.vpm.portal.com/
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 302 Found
GET https://my.vpm.portal.com/
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 302 Found
GET https://my.vpm.portal.com/global-protect/login.esp
XML response has no "auth" node
Failed to complete authentication

### crashing because it is not accepting and getting token from server:
sudo journalctl -f -u NetworkManager.service
Sep 05 13:13:26 z390 NetworkManager[1545]: <warn>  [1757088806.7058] vpn[0x555aa6169db0,c20e09aa-ac30-465b-9e56-8795e419563b,"UNIMEDBH"]: secrets: failed to request VPN secrets #3: User canceled the secrets request.
Sep 05 13:13:26 z390 NetworkManager[1545]: <debug> [1757088806.7059] vpn[0x555aa6169db0,c20e09aa-ac30-465b-9e56-8795e419563b,"UNIMEDBH"]: set state: failed (was need-auth)

# viewlog checkbox not working well but: 

POST https://myfirewall.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with myfirewall.com
Connected to HTTPS on myfirewall.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 05 Sep 2025 16:41:41 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1592
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=dd766cbe-8af3-4142-b64a-488b58ea273e; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (1592)
SAML REDIRECT authentication is required via https://login.microsoftonline.com/3737ddf7-0b60-4f73-a0ce-2abe5bb94cf4/saml2?SAMLRequest=lZJNa8MwDIb%2FSvA9sfPdmiaQtYcVOhaabIddhu0orSGxO9sZ%2B%2Flr2o1tl8JAF6GXR9IrrSwbhxOtJndUe3ibwDrvYxyUpZdCgSajqGZWWqrYCJY6QZvqYUejgNCT0U4LPSCvshaMk1qttbLTCKYB8y4FPO13BTo6d7IUYzY5UE4KFkxKjtDxYyD0GHBDkyTGMzUiuKlxtW6QtzlPIhWbmT%2BEQR%2BkCkYpjLa6d1oNUsEMwXEe513X5z7hGfGTPo99RgT4EeOQcr5MRJ%2FgeaUIedtNgV4h68MFX0K4SCORAwkZi3gKIhVdR9IsPsusnWCrrGPKFSgiUeqTpU%2FSNsxoEp7jBXn1lwN3UnVSHW7bxa8iS%2B%2Fbtvbrx6ZF3jMYe1nxLEDlap6QXhqbX2e4jWXf3qPyn06v8K9%2B5TX7%2BwvlJw%3D%3D&RelayState=3nkAAGBgtmhkZDc2NmNiZS04YWYzLTQxNDItYjY0YS00ODhiNThlYTI3M2Uw
POST https://myfirewall.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 512 status code 512
Date: Fri, 05 Sep 2025 16:41:42 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=7f28b4fd-49bc-47e0-8fb9-863b296c9355; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
X-Private-Pan-Globalprotect: auth-failed
HTTP body length:  (0)
Unexpected empty response body from server

Authentication Failed
Please contact the administrator for further assistance
Server info:
Error code: -1
Comment 1 Alan Aguinaga 2025-09-05 16:51:01 UTC 
Created attachment 184753 [details]
problem

error screen
Comment 2 Nate Graham 2025-09-26 14:58:10 UTC 
What is PaloAlto OS? Can you describe the operating environment? Is it a home machine or a work machine? Is there in fact a system adminstrator you can contact for assistance?