topic GP 6.0.6 - Cookie expired only from mobile phone in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-6-0-6-cookie-expired-only-from-mobile-phone/m-p/558547#M4401 <P>Hi,</P> <P>we have PA-850 and we deployed GP 6.0.7 for desktops and 6.0.6 version for mobile phones.</P> <P>The authentication is based on SAML via Azure and every connection from desktops works flawlessly.</P> <P>Recently we started receiving complaints from users that the VPN stopped working on phones, they received an XML saying Access Denied (attached).</P> <P>Looking at logs I found a Cookie Expiration and the quick solution was to clean the history of the mobile browser. then, the error disappeared and SAML authentication happened as usual.&nbsp;<BR />It seems like the GP client on a desktop can go for SAML authentication whenever it receives a cookie expiration message.&nbsp;</P> <P>Is there a way to configure the mobile client to do the same? is it a bug? any setting I can configure at Paloalto level?&nbsp;<BR />one option would be to disable the cookie authentication but that would be my last choice.... <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 19 Sep 2023 10:49:45 GMT JoseCortijo 2023-09-19T10:49:45Z GP 6.0.6 - Cookie expired only from mobile phone https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-6-0-6-cookie-expired-only-from-mobile-phone/m-p/558547#M4401 <P>Hi,</P> <P>we have PA-850 and we deployed GP 6.0.7 for desktops and 6.0.6 version for mobile phones.</P> <P>The authentication is based on SAML via Azure and every connection from desktops works flawlessly.</P> <P>Recently we started receiving complaints from users that the VPN stopped working on phones, they received an XML saying Access Denied (attached).</P> <P>Looking at logs I found a Cookie Expiration and the quick solution was to clean the history of the mobile browser. then, the error disappeared and SAML authentication happened as usual.&nbsp;<BR />It seems like the GP client on a desktop can go for SAML authentication whenever it receives a cookie expiration message.&nbsp;</P> <P>Is there a way to configure the mobile client to do the same? is it a bug? any setting I can configure at Paloalto level?&nbsp;<BR />one option would be to disable the cookie authentication but that would be my last choice.... <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 19 Sep 2023 10:49:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-6-0-6-cookie-expired-only-from-mobile-phone/m-p/558547#M4401 JoseCortijo 2023-09-19T10:49:45Z