Pulse Connect Secure Client on Fedora 32

looking for help. We have Pulse Secure SSL VPN running and I am trying to configure default VPN client that comes with Fedora 32 workstation to connect to SSL VPN.
This VPN device has SAML authentication configured for MFA. and I am getting screen to enter user name / password. It tries to connect but after couple of seconds simply disconnects without any obivous error on client side GUI.

Anyone in the forum had done this before can help me?

Here is the log from client side.

Attempting to connect to server 92.x.x.x:443

Connected to 92.x.x.x:443

SSL negotiation with 92.x.x.x

Server certificate verify failed: certificate does not match hostname

Connected to HTTPS on 92.x.x.x

Got HTTP response: HTTP/1.1 101 Switching Protocols

Content-type: application/octet-stream

Pragma: no-cache

Upgrade: IF-T/TLS 1.0

Connection: Upgrade

Strict-Transport-Security: max-age=31536000

> 0000:  00 00 55 97 00 00 00 01  00 00 00 14 00 00 00 00  |..U.............|

> 0010:  00 01 02 02                                       |....|

> 0000:  00 00 0a 4c 00 00 00 88  00 00 00 40 00 00 00 01  |...L.......@....|

> 0010:  63 6c 69 65 6e 74 48 6f  73 74 4e 61 6d 65 3d 6c  |clientHostName=l|

> 0020:  6f 63 61 6c 68 6f 73 74  20 63 6c 69 65 6e 74 49  |ocalhost clientI|

> 0030:  70 3d 31 39 32 2e 31 36  38 2e 30 2e 31 35 0a 00  |p=192.168.0.15..|

> 0000:  00 00 55 97 00 00 00 06  00 00 00 22 00 00 00 02  |..U........"....|

> 0010:  00 0a 4c 01 02 01 00 0e  01 61 6e 6f 6e 79 6d 6f  |..L......anonymo|

> 0020:  75 73                                             |us|

> 0000:  00 00 55 97 00 00 00 06  00 00 00 58 00 00 00 03  |..U........X....|

> 0010:  00 0a 4c 01 02 02 00 44  fe 00 0a 4c 00 00 00 01  |..L....D...L....|

> 0020:  00 00 0d 70 80 00 00 38  00 00 05 83 4f 70 65 6e  |...p...8....Open|

> 0030:  43 6f 6e 6e 65 63 74 20  56 50 4e 20 41 67 65 6e  |Connect VPN Agen|

> 0040:  74 20 28 4e 65 74 77 6f  72 6b 4d 61 6e 61 67 65  |t (NetworkManage|

> 0050:  72 29 20 76 38 2e 30 35                           |r) v8.05|

> 0000:  00 00 55 97 00 00 00 06  00 00 00 54 00 00 00 04  |..U........T....|

> 0010:  00 0a 4c 01 02 03 00 40  fe 00 0a 4c 00 00 00 01  |..L....@...L....|

> 0020:  00 00 0d 6d 80 00 00 14  00 00 05 83 6e 78 66 35  |...m........nxf5|

> 0030:  32 35 34 38 00 00 00 4f  40 00 00 1f 02 00 00 17  |2548...O@.......|

> 0040:  fe 00 0a 4c 00 00 00 02  02 02 0a 57 65 6c 63 6f  |...L.......Welco|

> 0050:  6d 65 33 00                                       |me3.|

I’ve never used anything other than OpenVPN or WireGuard, but let’s give it a try.

This hints at a missing/wrong certificate, are you sure you have everything you need?

Looking at their knowledge base, it seems that you might have malformed certificates, even if you are doing everything else right:
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40278?kA1j000000002yo=

Just to be clear, you mean this?

If you can’t get it to work, try using their cli or desktop client and if that manages to connect, try to recreate their configuration in NetworkManager.

1 Like

I was connecting using IP address and thats why it was throwing that warning but now i tried using hostname still…VPN seems to connect for couple of seconds and disconnects without any visible error.

I checked on Pulse Secure device and VPN session was still active but something seems to break after connection.

Here is the latest log :

If it’s after a couple of seconds, we can rule out an issue with keepalive, there’s probably something going on that makes the client unhappy and the connection is dropped. Is there an option to increase the verbosity of the logs on the client side?

Let’s try that one again…

Did you try with their own client software?

1 Like

I have successfully managed to connect using Fedora native VPN client instead of using Pulse one. I had to change VPN protocol to “Juniper Network Connect” but I don’t know why. Maybe you could try too.

Note that I have manually installed gateway certificate before by coping it in /etc/pki/ca-trust/source/anchors and running update-ca-trust.