https://community.checkpoint.com/t5/SASE-and-Remote-Access/Negotiation-with-Site-failed-SAML/m-p/180748#M5022 <P>Mgmt R81.20</P> <P>I have setup Azure Identity provider for SAML authentication .</P> <P>When I try to connect i get prompted for Azure username/ password, then do my 2FA, then get redirected to a page that says VPN connection successful .</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2023-05-12_9-16-24.jpg" style="width: 934px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20890iFACB7F8A53F85518/image-size/large?v=v2&amp;px=999" role="button" title="2023-05-12_9-16-24.jpg" alt="2023-05-12_9-16-24.jpg" /></span></P> <P>However on the actual client i see that the connection failed with the following message</P> <P>"Negotiation with site failed"</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2023-05-12_8-43-20.jpg" style="width: 555px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20889i1BB7F3EE6BD59317/image-size/large?v=v2&amp;px=999" role="button" title="2023-05-12_8-43-20.jpg" alt="2023-05-12_8-43-20.jpg" /></span></P> <P><STRONG>I also checked azure sign logs and it shows a successful sign-on ,</STRONG></P> <P>Any ideas what could be the issue?</P> <P>I am using latest E87.30 vpn client software</P> <P>&nbsp;</P> Fri, 12 May 2023 14:18:02 GMT nflnetwork29 2023-05-12T14:18:02Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Negotiation-with-Site-failed-SAML/m-p/180748#M5022 <P>Mgmt R81.20</P> <P>I have setup Azure Identity provider for SAML authentication .</P> <P>When I try to connect i get prompted for Azure username/ password, then do my 2FA, then get redirected to a page that says VPN connection successful .</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2023-05-12_9-16-24.jpg" style="width: 934px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20890iFACB7F8A53F85518/image-size/large?v=v2&amp;px=999" role="button" title="2023-05-12_9-16-24.jpg" alt="2023-05-12_9-16-24.jpg" /></span></P> <P>However on the actual client i see that the connection failed with the following message</P> <P>"Negotiation with site failed"</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2023-05-12_8-43-20.jpg" style="width: 555px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20889i1BB7F3EE6BD59317/image-size/large?v=v2&amp;px=999" role="button" title="2023-05-12_8-43-20.jpg" alt="2023-05-12_8-43-20.jpg" /></span></P> <P><STRONG>I also checked azure sign logs and it shows a successful sign-on ,</STRONG></P> <P>Any ideas what could be the issue?</P> <P>I am using latest E87.30 vpn client software</P> <P>&nbsp;</P> Fri, 12 May 2023 14:18:02 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Negotiation-with-Site-failed-SAML/m-p/180748#M5022 nflnetwork29 2023-05-12T14:18:02Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Negotiation-with-Site-failed-SAML/m-p/180753#M5023 <P>Personally, I would collect client logs and have a look, as well as below from gateway:</P> <P><SPAN>1) First, please set up the client side debug. (On the workstation)</SPAN><BR clear="none" /><SPAN>&nbsp;&nbsp;&nbsp; Right click on the client icon --&gt; VPN Options --&gt; Advanced --&gt; enable logging checkbox --&gt; click close.</SPAN><BR clear="none" /><SPAN>&nbsp;&nbsp;&nbsp; Enable extended logging instead of basic if there is an option.&nbsp;</SPAN><BR clear="none" /><SPAN>&nbsp;</SPAN><BR clear="none" /><SPAN>2) Initiate VPN debug on the FW:</SPAN><BR clear="none" /><SPAN># rm $FWDIR/log/ike.elg.*</SPAN><BR clear="none" /><SPAN># rm $FWDIR/log/ikev2.xmll.*</SPAN><BR clear="none" /><SPAN># rm $FWDIR/log/iked.elg.*</SPAN><BR clear="none" /><SPAN># rm $FWDIR/log/vpnd.elg.*</SPAN><BR clear="none" /><SPAN># rm $FWDIR/log/legacy_ike.*</SPAN><BR clear="none" /><SPAN># rm $FWDIR/log/legacy_ikev2.xmll.*</SPAN><BR clear="none" /><SPAN># &gt; $FWDIR/log/ike.elg</SPAN><BR clear="none" /><SPAN># &gt; $FWDIR/log/ikev2.xmll</SPAN><BR clear="none" /><SPAN># &gt; $FWDIR/log/iked.elg</SPAN><BR clear="none" /><SPAN># &gt; $FWDIR/log/vpnd.elg</SPAN><BR clear="none" /><SPAN># &gt; $FWDIR/log/legacy_ike.elg</SPAN><BR clear="none" /><SPAN># &gt; $FWDIR/log/legacy_ikev2.xmll</SPAN><BR clear="none" /><SPAN># vpn debug trunc</SPAN><BR clear="none" /><SPAN># vpn debug on TDERROR_ALL_ALL=5</SPAN><BR clear="none" /><SPAN>&nbsp;</SPAN><BR clear="none" /><SPAN>3) &lt;&lt;&lt;&lt;Replicate the issue&gt;&gt;&gt;&gt;&gt;</SPAN><BR clear="none" /><SPAN>&nbsp;</SPAN><BR clear="none" /><SPAN>4) Stop VPN debug on the FW:</SPAN><BR clear="none" /><SPAN># vpn debug off</SPAN><BR clear="none" /><SPAN># vpn debug ikeoff</SPAN><BR clear="none" /><SPAN>&nbsp;</SPAN><BR clear="none" /><SPAN>5) Right click on the client icon --&gt; VPN Options --&gt; Advanced --&gt; collect logs --&gt; click close.</SPAN></P> Fri, 12 May 2023 14:38:22 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Negotiation-with-Site-failed-SAML/m-p/180753#M5023 the_rock 2023-05-12T14:38:22Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Negotiation-with-Site-failed-SAML/m-p/181274#M5024 <P>Hey&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7840">@nflnetwork29</a>&nbsp;...any luck with this?</P> <P>Andy</P> Wed, 17 May 2023 19:44:39 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Negotiation-with-Site-failed-SAML/m-p/181274#M5024 the_rock 2023-05-17T19:44:39Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Negotiation-with-Site-failed-SAML/m-p/181277#M5025 <P>i got this working by following a combination of these two links.</P> <P><A href="https://community.checkpoint.com/t5/Security-Gateways/Access-Role-not-working/m-p/144456#M22486" target="_self">https://community.checkpoint.com/t5/Security-Gateways/Access-Role-not-working/m-p/144456#M22486</A>&nbsp;</P> <P><A href="https://www.youtube.com/watch?v=yZVB3sJ3fZ8" target="_self">https://www.youtube.com/watch?v=yZVB3sJ3fZ8</A>&nbsp;</P> Wed, 17 May 2023 20:11:48 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Negotiation-with-Site-failed-SAML/m-p/181277#M5025 nflnetwork29 2023-05-17T20:11:48Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Negotiation-with-Site-failed-SAML/m-p/181278#M5026 <P>Excellent, thanks for sharing! <span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> Wed, 17 May 2023 21:04:30 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Negotiation-with-Site-failed-SAML/m-p/181278#M5026 the_rock 2023-05-17T21:04:30Z