topic NGFW Global Protect 6.2.7 Global Counters Negotiation Error TLS 1.3 MAC-OS in GlobalProtect Discussions

NGFW Global Protect 6.2.7 Global Counters Negotiation Error TLS 1.3 MAC-OS

DanielS.Romero — Mon, 03 Mar 2025 12:31:59 GMT

Hello Livecommunity!

I'm facing an error with the Global Protect Agent 6.2.7 when an Apple Mac OS X 15.3.1 Sequoia tries to establish an SSL VPN connection with the Global Protect Portal; We see the next error on the DP CLI pcap global counters:

NGFW(active)> show counter global filter packet-filter yes delta yes
ssl_tls13_connection_error 1 0 error ssl pktproc TLS13: Unrecoverable error in openssl statemachine
sslv3 alert illegal parameter. Received fatal alert IllegalParameter from client

And these logs where the .193 is the Global Protect Portal IP address and the .170 is the Client public IP address:

NGFW DATA PLANE PCAP LOGS

Also on the NGFW logs there're somes decrypt errors on the traffic and decryptions logs says "sslv3 alert illegal parameter. Received fatal alert Illegal Parameter from client" When the Mac-OS Client try to negotiate the SSL VPN connection with TLS 1.3.

When the client uses TLS 1.0 the decrypt error says "Client and decrypt profile version mismatch. Supported client version bitmask: 0x08. Supported decrypt profile version bitmask: 0x60. " as below:

NGFW DECRYPTION ERRORS TLS 1.0 & TLS 1.3

These is a pcap on the Mac-OS device where the .193 is the Global Protect Portal IP address and the .108 is the Client private IP address.

MAC-OS DEVICE PCAP GLOBAL PROTECT AGENT CONNECTION

The Global Protect Agent on the Mac-OS says "The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect"

The openssl version on the Mac-OS is LibreSSL 3.3.6
The NGFW PAN-OS version is 11.1.5-h1
The TLS/SSL Service Profile we allowed connections from TLS 1.2 to TLS 1.3. (We want to avoid TLS 1.0 connections)

Anyone have an idea how to fix the Global Protect connection with the MAC device or know the meaning of the logs?

Thanks for your time!

Re: NGFW Global Protect 6.2.7 Global Counters Negotiation Error TLS 1.3 MAC-OS

Josh_Levine — Wed, 16 Apr 2025 16:43:43 GMT

Did you ever find a solution to this? I am receiving the exact same problem now

Re: NGFW Global Protect 6.2.7 Global Counters Negotiation Error TLS 1.3 MAC-OS

DanielS.Romero — Sat, 22 Nov 2025 01:54:48 GMT

Hello @Josh_Levine We open a TAC case and this is the results on a tshoot call:

"Summary:
=========
-Joined the call and you replicated the issue.
-Found the decrypt error as "Client and decrypt profile version mismatch. Supported client version bitmask: 0x08. Supported decrypt profile version bitmask: 0x60." .
-Run the command 'debug data plane show ssl-decrypt bitmask-version 0x08' to check the supported version of the client and the supported version is TLSv1.0.
-Run the command 'debug data plane show ssl-decrypt bitmask-version 0x06' to check the supported version of the decrypt profile and the supported versions were SSL2.0 and SSL 3.0.
-Checked the traffic logs to confirm the rule it is hitting and checked the policy.
-We observed the traffic is coming from two different zones. The rule is changing for the zone.
-However, there is the decrypt error for only one zone.
-Informed you the same and we created the separate decryption profile for the testing purpose. It didn't work.
-I informed the only solution is to edit the decryption profile since we cannot update the client.

Kindly refer the below documents for decryption error:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HB8bCAG&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-troubleshooting-workflow-examples/troubleshoot-unsupported-cipher-suites

If there is anything else I could help you with, please don't hesitate to reach us. We will be happy to assist you."

According to the results we need to contact the MAC support to try fix this connectivity issue.

As a workaround, we modified the SSL/TLS service profile to support up to TLS 1.2, and the connection worked!

This was my previous SSL/TLS service profile configuration:

SSL/TLS SERVICE PROFILE CONFIGURATION

Hope this could be useful,

Best Regards,

Daniel Romero
PANW Partner
Senior Network/Security Engineer

Re: NGFW Global Protect 6.2.7 Global Counters Negotiation Error TLS 1.3 MAC-OS

sbarba — Fri, 16 May 2025 17:57:29 GMT

Having the same issue with my Mac users.

Re: NGFW Global Protect 6.2.7 Global Counters Negotiation Error TLS 1.3 MAC-OS

DanielS.Romero — Sat, 22 Nov 2025 01:57:18 GMT

Hello @sbarba ,

Could you please check the alternative solutions and confirm if they work for you?

Best Regards,

Daniel Romero
PANW Partner
Senior Network/Security Engineer