This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AOBELAR
Contributor
‎2025-11-29 05:27 AM
Jump to solution

Remote Access VPN with MFA – Authentication fails on ISP network but works with mobile hotspot

Hello everyone,

I have a Remote Access VPN implementation configured with MFA authentication. The issue I’m facing is that the authentication fails when I connect using my home Internet Service Provider’s network.

The error message shows an App registration that doesn’t exist in my Azure tenant and isn’t linked to any Identity Provider configured in my Management Server.

However, when I connect using my mobile hotspot, the authentication works perfectly, and the URLs correspond to the current Identity Provider configured on the gateway.

Could this behavior be related to how the ISP handles IP assignment (NAT, CGNAT, etc.)?
Is there any known limitation or recommendation regarding authentication flows behind carrier-grade NAT or similar configurations?

Thanks in advance for any insight or suggestions.

0 Kudos
49 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-12-01 04:43 PM
In response to AOBELAR
Jump to solution

Im not expert in this particular subject by any means, but I do know those values have to come from Azure/gw side. By the way, I see the option for importing file, you did not do so, you chose manual...any reason why?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AOBELAR
Contributor
‎2025-12-01 04:54 PM
In response to the_rock
Jump to solution

I tried a different approach because it wouldn’t start before. It starts now, but it’s showing some strange behavior.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-01 04:56 PM
In response to AOBELAR
Jump to solution

Did you try importing the file approach?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-01 04:51 PM
In response to AOBELAR
Jump to solution

I meant below settings, more less what you had in your screenshot.

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AOBELAR
Contributor
‎2025-12-01 04:58 PM
In response to the_rock
Jump to solution

In the previous cases, I followed this approach.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-01 05:06 PM
In response to AOBELAR
Jump to solution

And I assume it was same error?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AOBELAR
Contributor
‎2025-12-01 05:09 PM
In response to the_rock
Jump to solution

It doesn’t have any impact, but the idea was to test an alternative approach.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-01 05:13 PM
In response to AOBELAR
Jump to solution

Small favor, if you dont mind...can you please paste the text error itself, rather than the screenshot?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AOBELAR
Contributor
‎2025-12-01 05:20 PM
In response to the_rock
Jump to solution

AADSTS700016: Application with identifier 'https://IP/saml-vpn/spPortal/ACS/ID/e630b697-b47e-4029-be4b-33599e317cb0' was not found in the directory 'XXXXXX'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.


Troubleshooting details
If you contact your administrator, send this info to them.
Copy info to clipboard
Request Id: fe7e2435-c841-4163-b60d-b2f7b4964301
Correlation Id: 51b51ef5-6f1a-4f0b-a58c-b2cc4b6cfeb4
Timestamp: 2025-12-02T01:17:28Z
Message: AADSTS700016: Application with identifier 'https://IP/saml-vpn/spPortal/ACS/ID/e630b697-b47e-4029-be4b-33599e317cb0' was not found in the directory 'XXXXX'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Flag sign-in errors for review: Enable flagging
If you plan on getting help for this problem, enable flagging and try to reproduce the error within 20 minutes. Flagged events make diagnostics available and are raised to admin attention.

image.png

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-01 05:26 PM
In response to AOBELAR
Jump to solution

Give me some time, let me look into it.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-01 05:33 PM
In response to AOBELAR
Jump to solution

Here are some things I would check, from my previous notes:

1) Check the tenant

2) check the app registration

3) confirm the identifier

 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AOBELAR
Contributor
‎2025-12-01 05:40 PM
In response to the_rock
Jump to solution

But why would the scenario that authenticates me vary depending on the connection?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-01 05:44 PM
In response to AOBELAR
Jump to solution

Just thought of something, might not be related, but lets double check. What are dns servers when it works and when it does not, can you check?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AOBELAR
Contributor
‎2025-12-01 05:54 PM
In response to the_rock
Jump to solution

falis


failsfails

Works
worksworks

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-01 06:03 PM
In response to AOBELAR
Jump to solution

K, so lets take a step back, as they say. So, with one that fails, are you able to resolve google dns, say google.com. Does that work?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AOBELAR
Contributor
‎2025-12-01 06:17 PM
In response to the_rock
Jump to solution

 

image.png

image.png

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-01 08:25 PM
In response to AOBELAR
Jump to solution

I would open TAC case, see if they provide specific vpn debug for this.

Best,
Andy
"Have a great day and if its not, change it"
AOBELAR
Contributor
‎2025-12-02 04:13 AM
In response to the_rock
Jump to solution

Thank you very much for your time and for the validation tips. I will share any updates as soon as I have them, in case they’re helpful for future cases.

the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 04:19 AM
In response to AOBELAR
Jump to solution

Yes, thanks a lot for that, appreciated.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AOBELAR
Contributor
‎2025-12-17 06:00 AM
In response to the_rock
Jump to solution

The issue was finally resolved by running the following commands on the gateway:

fw kill vpnd
cpstop
cpstart


After executing these commands, the Remote Access VPN authentication started working correctly from different ISPs without any issues.

I would like to thank everyone for your comments, insights, and the time you took to help me troubleshoot this problem. Your support was greatly appreciated.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events