Bug 509167 - Network Manager's openconnect anyconnect plugin stoped to work with oath2 in Palo Alto Firewall
Summary: Network Manager's openconnect anyconnect plugin stoped to work with oath2 in ...
Status: REPORTED
Alias: None
Product: systemsettings
Classification: Applications
Component: kcm_networkmanagement (other bugs)
Version First Reported In: 6.4.4
Platform: Fedora RPMs Linux
: NOR grave
Target Milestone: ---
Assignee: Plasma Bugs List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-09-05 16:44 UTC by Alan Aguinaga
Modified: 2025-10-24 04:16 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
problem (79.22 KB, image/png)
2025-09-05 16:51 UTC, Alan Aguinaga 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Alan Aguinaga 2025-09-05 16:44:10 UTC 
SUMMARY

After PaloAlto OS update, oauth2 stoped to receive token and log in at VPN. It was working well one day earlier but before that update it stoped to work. 

It needs to be configured to get 2 facts auth by microsoft. It opens an window but gets error. 
There are no problem at Firewall because GlobalProtect-openconnect client works. Networkmanager link don't. 

STEPS TO REPRODUCE
1. you must test with palo alto and 2 fact enabled. Log to latest Paloalto Firewall version
2. connect to the portal
3. enter your password at Microsoft's Windows


OBSERVED RESULT
4. Get error:
"Authentication Failed
Please contact the administrator for further assistance
Server info:
Error code: -1"

EXPECTED RESULT
Login and minimize window dialog of microsoft

SOFTWARE/OS VERSIONS

Linux/KDE Plasma:  Fedora 42
KDE Plasma Version: 6.4.4
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION
trying to debug 
sudo openconnect  --useragent=AnyConnect my.vpm.portal.com --protocol=anyconnect --dump-http-traffic -vvv                     ░▒▓ 1 ✘  12:42:19  
POST https://my.vpm.portal.com/
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> POST / HTTP/1.1
> Host: my.vpm.portal.com
> User-Agent: AnyConnect
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2olp6tzq5NjxNSAfskGBlBEW6P9NIEW+q0jm8IpVCZEw6jJ6dWyxAkgjqcLmyXz0nZfwmW3Fkbi+BEpgrUvv0A==
> X-AnyConnect-STRAP-DH-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+KZ0ZH/C2zPNUlDBc+XgUbFO3DCXOVHTOfd5AaVcnZu1d0SlhVHOyZ8Zwz1SHpQCEl3mPwLKM7AVlfFodpGjgQ==
> X-Pad: 00000000000000000000000000000000000000000000000
> Content-Type: application/xml; charset=utf-8
> Content-Length: 401
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init" aggregate-auth-version="2"><version who="vpn">v9.12.git.231.c327bdf-0.fc42</version><device-id>linux-64</device-id><capabilities><auth-method>single-sign-on-v2</auth-method><auth-method>single-sign-on-external-browser</auth-method></capabilities><group-access>https://my.vpm.portal.com/</group-access></config-auth>
Got HTTP response: HTTP/1.1 302 Found
Date: Fri, 05 Sep 2025 16:00:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 173
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Location: /global-protect/login.esp
Set-Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (173)
< <script LANGUAGE="JavaScript">
< window.location="/global-protect/login.esp";
< </script>
< <html><head></head><body><p>JavaScript must be enabled to continue!</p></body></html>
< 
GET https://my.vpm.portal.com/
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> GET / HTTP/1.1
> Host: my.vpm.portal.com
> User-Agent: AnyConnect
> Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2olp6tzq5NjxNSAfskGBlBEW6P9NIEW+q0jm8IpVCZEw6jJ6dWyxAkgjqcLmyXz0nZfwmW3Fkbi+BEpgrUvv0A==
> X-AnyConnect-STRAP-DH-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+KZ0ZH/C2zPNUlDBc+XgUbFO3DCXOVHTOfd5AaVcnZu1d0SlhVHOyZ8Zwz1SHpQCEl3mPwLKM7AVlfFodpGjgQ==
> X-Pad: 0000000000000000000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 0
> 
Got HTTP response: HTTP/1.1 302 Found
Date: Fri, 05 Sep 2025 16:00:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 173
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Location: /global-protect/login.esp
Set-Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (173)
< <script LANGUAGE="JavaScript">
< window.location="/global-protect/login.esp";
< </script>
< <html><head></head><body><p>JavaScript must be enabled to continue!</p></body></html>
< 
GET https://my.vpm.portal.com/global-protect/login.esp
> GET /global-protect/login.esp HTTP/1.1
> Host: my.vpm.portal.com
> User-Agent: AnyConnect
> Cookie: SESSID=4a1567b5-c871-4ae4-aab6-ba74462a59a7
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2olp6tzq5NjxNSAfskGBlBEW6P9NIEW+q0jm8IpVCZEw6jJ6dWyxAkgjqcLmyXz0nZfwmW3Fkbi+BEpgrUvv0A==
> X-AnyConnect-STRAP-DH-Pubkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+KZ0ZH/C2zPNUlDBc+XgUbFO3DCXOVHTOfd5AaVcnZu1d0SlhVHOyZ8Zwz1SHpQCEl3mPwLKM7AVlfFodpGjgQ==
> X-Pad: 0000000000000000000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 0
> 
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 05 Sep 2025 16:00:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 676
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=a9ac43d4-da1e-42f1-b7b9-066416d00777; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (676)
< <html>
<     <script>window.location="https:\/\/login.microsoftonline.com\/3737ddf7-0b60-4f73-a0ce-2abe5bb94cf4\/saml2?SAMLRequest=lZLBasMwDIZfJfie2HWSZjVNIGsPK3QsNNkOuwzbUVpDYne2M%2Fb4a9qNdZfCQBehn0%2FSLy0dH%2FojK0d%2F0Dt4H8H54HPotWPnQo5Gq5nhTjmm%2BQCOecnq8nHLaETY0RpvpOlRUDoH1iujV0a7cQBbg%2F1QEp532xwdvD86hjEfPWivJI9GrQZoxSGSZoiEZUkS44lKCa4rXK5qFKxPkyjNJ%2BYvoTd7paNBSWuc6bzRvdIwQXCcxVnbdllIxJyESZfFIScSQsoFpEIsEtkleFqJomCzztGbaEF0p2hnouMpyWJIZcwFuaOLWSszOMmcG2Gjnefa54gSmoZkEZK0mc0ZIYxmryiovh24V7pVen%2FbLnEROfbQNFVYPdUNCl7AuvOKJwEqltOE7NzYXp3hNpb%2FeI%2BKfzq9xFf9ikv29xeKLw%3D%3D\u0026RelayState=SHgAAGBgtmhhOWFjNDNkNC1kYTFlLTQyZjEtYjdiOS0wNjY0MTZkMDA3Nzcw";</script></html>
XML response has no "auth" node
Failed to complete authentication

 sudo openconnect --useragent=AnyConnect --cookieonly my.vpm.portal.com                                                          ░▒▓ ✔  13:02:37  
POST https://my.vpm.portal.com/
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 302 Found
GET https://my.vpm.portal.com/
Connected to 1.2.3.4:443
SSL negotiation with my.vpm.portal.com
Connected to HTTPS on my.vpm.portal.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 302 Found
GET https://my.vpm.portal.com/global-protect/login.esp
XML response has no "auth" node
Failed to complete authentication

### crashing because it is not accepting and getting token from server:
sudo journalctl -f -u NetworkManager.service
Sep 05 13:13:26 z390 NetworkManager[1545]: <warn>  [1757088806.7058] vpn[0x555aa6169db0,c20e09aa-ac30-465b-9e56-8795e419563b,"UNIMEDBH"]: secrets: failed to request VPN secrets #3: User canceled the secrets request.
Sep 05 13:13:26 z390 NetworkManager[1545]: <debug> [1757088806.7059] vpn[0x555aa6169db0,c20e09aa-ac30-465b-9e56-8795e419563b,"UNIMEDBH"]: set state: failed (was need-auth)

# viewlog checkbox not working well but: 

POST https://myfirewall.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with myfirewall.com
Connected to HTTPS on myfirewall.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 05 Sep 2025 16:41:41 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1592
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=dd766cbe-8af3-4142-b64a-488b58ea273e; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (1592)
SAML REDIRECT authentication is required via https://login.microsoftonline.com/3737ddf7-0b60-4f73-a0ce-2abe5bb94cf4/saml2?SAMLRequest=lZJNa8MwDIb%2FSvA9sfPdmiaQtYcVOhaabIddhu0orSGxO9sZ%2B%2Flr2o1tl8JAF6GXR9IrrSwbhxOtJndUe3ibwDrvYxyUpZdCgSajqGZWWqrYCJY6QZvqYUejgNCT0U4LPSCvshaMk1qttbLTCKYB8y4FPO13BTo6d7IUYzY5UE4KFkxKjtDxYyD0GHBDkyTGMzUiuKlxtW6QtzlPIhWbmT%2BEQR%2BkCkYpjLa6d1oNUsEMwXEe513X5z7hGfGTPo99RgT4EeOQcr5MRJ%2FgeaUIedtNgV4h68MFX0K4SCORAwkZi3gKIhVdR9IsPsusnWCrrGPKFSgiUeqTpU%2FSNsxoEp7jBXn1lwN3UnVSHW7bxa8iS%2B%2Fbtvbrx6ZF3jMYe1nxLEDlap6QXhqbX2e4jWXf3qPyn06v8K9%2B5TX7%2BwvlJw%3D%3D&RelayState=3nkAAGBgtmhkZDc2NmNiZS04YWYzLTQxNDItYjY0YS00ODhiNThlYTI3M2Uw
POST https://myfirewall.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 512 status code 512
Date: Fri, 05 Sep 2025 16:41:42 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=7f28b4fd-49bc-47e0-8fb9-863b296c9355; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
X-Private-Pan-Globalprotect: auth-failed
HTTP body length:  (0)
Unexpected empty response body from server

Authentication Failed
Please contact the administrator for further assistance
Server info:
Error code: -1
Comment 1 Alan Aguinaga 2025-09-05 16:51:01 UTC 
Created attachment 184753 [details]
problem

error screen
Comment 2 Nate Graham 2025-09-26 14:58:10 UTC 
What is PaloAlto OS? Can you describe the operating environment? Is it a home machine or a work machine? Is there in fact a system adminstrator you can contact for assistance?
Comment 3 Bug Janitor Service 2025-10-11 03:47:44 UTC 
🐛🧹 ⚠️ This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information, then set the bug status to REPORTED. If there is no change for at least 30 days, it will be automatically closed as RESOLVED WORKSFORME.

For more information about our bug triaging procedures, please read https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging.

Thank you for helping us make KDE software even better for everyone!
Comment 4 Alan Aguinaga 2025-10-11 19:16:43 UTC 
(In reply to Nate Graham from comment #2)
> What is PaloAlto OS? Can you describe the operating environment? Is it a
> home machine or a work machine? Is there in fact a system adminstrator you
> can contact for assistance?

this is not a problem at conection or user itself because paloalto app and  gpclient works. only network manager not works and the paloalto is using latest version. after firewall update SAML stop to pass something to internal networkmanager browser to accept connections. 

last log:


POST https://a.b.c/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with myserver.com
Connected to HTTPS on myserver.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 11 Oct 2025 18:57:52 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1592
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=4f22744a-251e-492b-96f4-4076a8b106cf; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length:  (1592)
SAML REDIRECT authentication is required via https://login.microsoftonline.com/3737ddf7-0b60-4f73-a0ce-2abe5bb94cf4/saml2?SAMLRequest=lZLNboMwEIRfBfkOmH9qBSSaHBopVVGgPfRS2cYklsBOvabq4xeSVk0vkXpc7eib3dldAR2HE6kme1R78T4JsM7nOCgg50aBJqOIpiCBKDoKIJaTpnrckdDD5GS01VwPyKkAhLFSq7VWMI3CNMJ8SC6e97sCHa09AfF9OlmhrOTUm5QcRceOHtejxwyJ48hfqCH2m9qv1g1yNvMkUtGF%2BUsY9EEqb5TcaNC91WqQSiwQP8qirOv6zMUsxW7cZ5FLMRduSJlIGLuLeR%2F7y0ohcrabAr3hKM%2BCWcKyKE0wxj1L4ySPc5z2SdCLaJYBTGKrwFJlCxTiMHED7AZBG%2BQkyUgSviKn%2Fk7gXqpOqsPtuNhFBOShbWu3fmpa5LwIA%2BcVZwEqV8uE5Gxsrs5wG0t%2FskflP5Ne%2BVd%2B5aX6%2BwvlFw%3D%3D&RelayState=dFYEAGBgtmg0ZjIyNzQ0YS0yNTFlLTQ5MmItOTZmNC00MDc2YThiMTA2Y2Yw
POST https://myserver.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 512 status code 512
Date: Sat, 11 Oct 2025 18:57:53 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=a0dcf005-b2ff-4acc-a6bb-abce6832a457; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
X-Private-Pan-Globalprotect: auth-failed
HTTP body length:  (0)
Unexpected empty response body from server

Networkmanager plugin to open a browser dialog is not working. I got administrator help and my user can log using https://github.com/yuezk/GlobalProtect-openconnect 
NetworkManager used to work and pass auth to mini browser but now it stopped to work. 
And my other notebook with clean install is not working too. 

What log or info do you need to get?
Comment 5 TraceyC 2025-10-20 23:08:08 UTC 
"PAN-OS" is the software in question
https://docs.paloaltonetworks.com/pan-os
> PAN‑OS® is the software that runs all Palo Alto Networks® next-generation firewalls.

Unfortunately I don't have an account with PaloAlto to test with, I'll leave this for someone who does.