Solved: Re: Remote Access VPN with MFA – Authentication fa...

AOBELAR · ‎2025-11-29

Hello everyone,

I have a Remote Access VPN implementation configured with MFA authentication. The issue I’m facing is that the authentication fails when I connect using my home Internet Service Provider’s network.

The error message shows an App registration that doesn’t exist in my Azure tenant and isn’t linked to any Identity Provider configured in my Management Server.

However, when I connect using my mobile hotspot, the authentication works perfectly, and the URLs correspond to the current Identity Provider configured on the gateway.

Could this behavior be related to how the ISP handles IP assignment (NAT, CGNAT, etc.)?
Is there any known limitation or recommendation regarding authentication flows behind carrier-grade NAT or similar configurations?

Thanks in advance for any insight or suggestions.

AOBELAR

The issue was finally resolved by running the following commands on the gateway:

fw kill vpnd
cpstop
cpstart

After executing these commands, the Remote Access VPN authentication started working correctly from different ISPs without any issues.

I would like to thank everyone for your comments, insights, and the time you took to help me troubleshoot this problem. Your support was greatly appreciated.

View solution in original post

the_rock · ‎2025-11-30

Definitely could be related to that. Do you have any relevant logs/errors that could help us?

Best,
Andy

AOBELAR · ‎2025-11-30

I'm not sure about the root cause, but what puzzles me is the different behavior between the two connectivity methods. When I connect through my ISP, the authentication flow seems to reference information that no longer exists, which is why the login fails.

When I use my mobile hotspot, the authentication works correctly and points to the current Identity Provider configuration.

As an additional note, my environment is running R81.20 with JHF Take 119.

the_rock · ‎2025-11-30

That got me thinking...so, if it references something that does NOT exist any longer, can you check Guidbedit and see if you can find it there? If so, just delete it and install policy, test again.

Best,
Andy

kamilazat · ‎2025-11-30

I also wanted to ask another question additional to what @the_rock asked. Does a policy installation without any changes have any kind of effect when the authentication doesn't work, i.e when on ISP network?

AOBELAR · ‎2025-12-01

I also installed the policy both with and without acceleration, and I couldn’t find any trace of the old object.

What I don’t understand is: if the issue were related to that old reference, what connection would it have with using one Internet service versus the other?

kamilazat · ‎2025-12-01

Some of the connections in the connections table can get deleted and recreated upon policy installation, which may help if any connection gets 'stuck' in the table. Just wanted to check 🙂

AOBELAR · ‎2025-12-01

Do you know whether the EntryID and Replay URLs are being called by the client or by the Gateway?
Is there any cache-related file or something similar that can be cleared?

Thank you very much for your comments.

the_rock · ‎2025-12-01

I could be mistaken, but I believe entryID is called by the client and reply URL by the gateway.

Best,
Andy

PhoneBoy · ‎2025-12-01

Does the host part of the URLs for the Identity Provider configuration contain an IP or an FQDN?
If an IP, perhaps there's a routing issue upstream.
If it's an FQDN, ensure DNS resolves the same in both places.

Duane_Toler · ‎2025-12-01

As @PhoneBoy noted, when you're on your home network, check the URLs and the hostnames used for the SAML connection. Do 'nslookup' locally on your PC/Mac to verify if the names are resolving to the correct locations. Do the same when you're connected to your mobile hotspot. Compare the differences and that might give you some insight. CGNAT can play weird tricks, for sure. You might even be having DNS re-write taking place by your ISP, such as if you subscribe to some ISP-managed "security filtering" service or whatever. Likewise, are you using some other "VPN" service like Nord, etc.? These things can get in the way, too (and they aren't really doing what you think they are).

Be sure to check your Identity Provider object to make sure it's configured as you expect, including the XML metadata from the SAML provider. If you have a cluster, or multiple Remote Access VPN gateways in the community, then check each of them to be sure they are configured the same.

If all else fails, and you have access to the gateway, you can run a VPN debug to see what's happening under the surface.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

AOBELAR · ‎2025-12-01

I'm using a non-FQDN IP address. Will the client have any logs that could help me understand what's happening?

It works with the same IP address using the username and password method.

Duane_Toler · ‎2025-12-01

So your SAML VPN portal URL (in gateway properties -> VPN clients -> SAML) is an IP address (https://192.0.2.1/saml-vpn) ?

Are you able to post a screenshot of what happens in your client, or browser, after the SAML connection happens and redirects to your Identity Provider? Feel free to scrub any specific identifying info if you must.

Do you know if your home ISP has a content filtering service they are using for your web traffic?

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

AOBELAR · ‎2025-12-01

I don't know, I don't think so

Duane_Toler · ‎2025-12-01

Go to http://mysignins.microsoft.com and make sure you aren't accidentally logged into another Azure tenant (or Office365 account, or Azure Portal... whichever is relevant for you). I see this often myself when I have a browser tab logged into some other customer's account. I have to logout of all those first to make sure the cookies and sessions are removed.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

AOBELAR · ‎2025-12-01

That ID belongs to an identity provider that was created at some point but is no longer in AZR and also not in the Gateway

AOBELAR · ‎2025-12-01

If I use that ID for the URLs in Azure, I get a 500 error.

the_rock · ‎2025-12-01

Then its definitely wrong, but Im wondering if there is a way to confirm 199% it works on CP side...let me check.

Best,
Andy

AOBELAR · ‎2025-12-01

Jhf 118 sorry

AOBELAR · ‎2025-12-01

same PC and same client

the_rock · ‎2025-12-01

Are you able to send what smart console config looks like? Just blur out any sentisive data.

Best,
Andy

AOBELAR · ‎2025-12-01

Which part would you need to see?

the_rock · ‎2025-12-01

Preferably all that is relevant.

Best,
Andy

the_rock · ‎2025-12-01

Preferably part for identity source.

Best,
Andy

Duane_Toler · ‎2025-12-01

I presume you are installing the security policy after you make any changes?

You may need to check GUIDBedit (or the management API) for any SAML VPN configurations. With the API, on the management server, you can use show-objects with a filter:

[Expert@mgmt01:0]# mgmt_cli -r true -f json show-objects filter saml-vpn
{
  "from" : 1,
  "to" : 1,
  "total" : 1,
  "objects" : [ {
    "uid" : "b92e489c-31d1-4702-91c3-d268cdf0a074",
    "name" : "SAML_VPN",
    "type" : "CpmiIdentityProvider",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "icon" : "Objects/AuthenticationServer",
    "color" : "black"
  } ]
}

You can then use show-generic-object with that UID value and review the output for "loginUrl" and "providerID":

[Expert@mgmt01:0]# mgmt_cli -r true -f json show-generic-object uid b92e489c-31d1-4702-91c3-d268cdf0a074 |jq -r '.name, (.services[] |.loginUrl,.providerID)' 
SAML_VPN
https://login.microsoftonline.com/81e...986b/saml2
https://sts.windows.net/81e...986b/

If you have more than one entry here, that means you have the SAML portal configured on multiple gateways. You may need to verify your VPN domains are configured correctly to make sure your client's IP is not anywhere in the group you have defined.

Maybe this output will give you some indication if you have a duplicate entry. No guarantees, however.

I'm still not sure why this would work while on your mobile hotspot versus your home ISP. This still indicates there's a possible DNS re-write issue, or your ISP could be filtering web traffic in some way, or perhaps your home router/NAT gateway is configured to do the same.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

AOBELAR · ‎2025-12-01

the_rock · ‎2025-12-01

Looks right to me. So reply URL fails on Azure end?

Best,
Andy

AOBELAR · ‎2025-12-01

this one works

this doesn't work

It doesn't exist in Azure nor in Smartconsole

the_rock · ‎2025-12-01

Hm...then it truly begs the question where it came from? Can you confirm 100% you dont see it anywhere in Azure?

Best,
Andy

AOBELAR · ‎2025-12-01

I don't know if 100%, but I deleted everything and generated it again, that's why I was also asking who was making the query to "https://IP/saml-vpn/spPortal/ACS/ID/............. and https://IP/saml-vpn/spPortal/ACS/Login/............."

Are you a member of CheckMates?

Remote Access VPN with MFA – Authentication fails on ISP network but works with mobile hotspot