https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-alert-error-code-44-invalid-authentication-cookie/m-p/1233407#M6885 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>,</P> <P>This is bloomin' amazing explanation - I was thinking it could be related to users' devices going to sleep but couldn't come up with the actual explanation like you did!</P> <P>Many thanks for this, mate!</P> <P>Gregor</P> Mon, 07 Jul 2025 07:43:22 GMT GregorJus 2025-07-07T07:43:22Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-alert-error-code-44-invalid-authentication-cookie/m-p/1232863#M6873 <DIV class="NTPm6 idxFD HynGd WWy1F"> <DIV class="adPpR mJflQ allowTextSelection" role="heading" aria-level="2"> <DIV class="MshDW m41se"> <DIV class="UUCdJ PKstT">&nbsp;</DIV> </DIV> </DIV> </DIV> <DIV class="L72vd"> <DIV class="Q8TCC yyYQP customScrollBar" tabindex="-1" aria-label="1 messages" data-app-section="ConversationContainer" data-is-scrollable="true"> <DIV> <DIV class="aVla3"> <DIV class="BS0OK" aria-expanded="true"> <DIV> <DIV class="fui-FluentProvider fui-FluentProviderrf9 ___5n94it0 f19n0e5 f3rmtva fgusgyc fk6fouc fkhj508 figsok6 fytdu2e" dir="ltr"> <DIV class="wide-content-host"> <DIV id="focused" class="SlLx9 WWy1F byzS1 WWy1F" tabindex="-1" aria-label="Email message"> <DIV class="uSg02"> <DIV class="DgV2h l8Tnu lAKmW"> <DIV class="lT19A" data-tabster="{&quot;mover&quot;:{&quot;cyclic&quot;:true,&quot;direction&quot;:2,&quot;memorizeCurrent&quot;:false}}"> <DIV class="Jj1JU"> <DIV class="ms-OverflowSet root-361" role="toolbar" aria-label="Message actions"> <DIV class="ms-OverflowSet-item item-178" role="none">&nbsp;</DIV> <DIV class="ms-OverflowSet-item item-178" role="none"> <DIV class="s82IJ body-157">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV role="document"> <DIV id="UniqueMessageBody_48" class="XbIp4 jmmB7 GNqVo allowTextSelection OuGoX" tabindex="0" aria-label="Message body" data-fui-focus-visible=""> <DIV class="BIZfh"> <DIV> <DIV class="rps_44c1"> <DIV>Hi,</DIV> <DIV>all of our users seem to be successfully connected to GP, however, I am receiving the alerts like below (I've only removed/amended some sensitive information).</DIV> <DIV>Can anyone shed some light on this Error 44 and invalid authentication cookie? Anything I should be worried and anything I should/could do to rectify this?</DIV> <DIV>Thanks,</DIV> <DIV>G</DIV> <DIV>&nbsp;</DIV> <DIV>receive_time: 2025/06/30 09:11:06<BR />actionflags: 0x0<BR />type: GLOBALPROTECT<BR />subtype: 0<BR />config_ver: 2817<BR />time_generated: 2025/06/30 09:11:06<BR />high_res_timestamp: 2025-06-30T09:11:06.815+02:00<BR />dg_hier_level_1: 0<BR />dg_hier_level_2: 0<BR />dg_hier_level_3: 0<BR />dg_hier_level_4: 0<BR />vsys_id: 1<BR />vsys: vsys1<BR />eventid: gateway-hip-check<BR />status: failure<BR />stage: host-info<BR />auth_method:<BR />tunnel_type:<BR />portal: GP gateway - Internal<BR />srcuser: user@domain.com<BR />private_ip: 10.0.2.25<BR />private_ipv6: 0.0.0.0<BR />hostid: 20d2155b-769e-4c0b-ba83-b9f1c55636e7<BR />client_ver: 6.2.7<BR />client_os: any<BR />client_os_ver:<BR />repeatcnt: 1<BR />login_duration: 0<BR />connect_method:<BR />reason:<BR />location:<BR />error_code: 44<BR />error: Invalid authentication cookie<BR />opaque:<BR />gateway:<BR />selection_type:<BR />response_time:<BR />priority:<BR />cluster_name:<BR />attempted_gateways:</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Mon, 30 Jun 2025 07:34:21 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-alert-error-code-44-invalid-authentication-cookie/m-p/1232863#M6873 GregorJus 2025-06-30T07:34:21Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-alert-error-code-44-invalid-authentication-cookie/m-p/1233325#M6883 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/515434985">@GregorJus</a>,</P> <P>This is normal to see in the logs and usually associated with gatewa-hip-check events like what you're seeing. I always see it on gateway-hip-check events and it's always between a gateway-logout event and a portal-auth/portal-gen-cookie event.</P> <P>&nbsp;</P> <P>If I would have to&nbsp;<EM>guess&nbsp;</EM>what is going on, I think the user is likely suspending the machine and upon it resuming the agent sends spurious HIP check reports; since the HIP reports utilize a cookie with the gateway and the gateway session has already been cleared, the cookie is invalid and the reports aren't processed.</P> <P>I've seen this on BYOD endpoints that aren't forced onto the VPN at random times well prior to them connecting to the VPN tens of minutes later, so that leads credence to it being an issue with the agent when exiting sleep. This is just a hypothesis, but it's the best I can offer.&nbsp;</P> Fri, 04 Jul 2025 07:47:40 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-alert-error-code-44-invalid-authentication-cookie/m-p/1233325#M6883 BPry 2025-07-04T07:47:40Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-alert-error-code-44-invalid-authentication-cookie/m-p/1233407#M6885 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>,</P> <P>This is bloomin' amazing explanation - I was thinking it could be related to users' devices going to sleep but couldn't come up with the actual explanation like you did!</P> <P>Many thanks for this, mate!</P> <P>Gregor</P> Mon, 07 Jul 2025 07:43:22 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-alert-error-code-44-invalid-authentication-cookie/m-p/1233407#M6885 GregorJus 2025-07-07T07:43:22Z