https://live.paloaltonetworks.com/t5/globalprotect-discussions/solved-gpudate-force-doesn-t-work-with-global-protect/m-p/1253712#M7373 <P>Hello LiveCommunity Team!<BR /><BR /></P> <P>I created this post to share my experience regarding an issue involving GlobalProtect users from Prisma Access who attempt to run <STRONG>gpupdate /force</STRONG> to update GPO policies from the DC server, and who encounter the following error:<BR /><BR /><STRONG>CMD ERROR GPUPDATE /FORCE<BR /></STRONG>C:\WINDOWS\system32&gt;gpupdate /force</P> <P>&nbsp;</P> <P>Updating policy...<BR /><BR /><SPAN>User policy cannot be updated successfully due to the following errors:</SPAN><BR /><BR /><STRONG>Group policy cannot be processed because it cannot connect to a domain controller over the network. This condition may be temporary. A success message may be generated once the computer connects to the domain controller and the group policy is processed successfully. Contact your administrator.</STRONG></P> <P>&nbsp;</P> <P>- Given this error, I checked the GlobalProtect source IP logs and everything appeared to be allowed.<BR /><BR /></P> <P>Then, I tried pinging from an affected endpoint with a custom length and the DF "<STRONG>Don't Fragment</STRONG>" bit active set to 1350 bytes, and the ping was dropped by fragmentation needed. as shown below:</P> <P><BR /><STRONG>PING TEST WITH 1350 BYTES</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_1-1778369596055.png" style="width: 756px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71375iF1CDDCF26D31AF08/image-dimensions/756x170?v=v2" width="756" height="170" role="button" title="DanielSRomero_1-1778369596055.png" alt="DanielSRomero_1-1778369596055.png" /></span></P> <P><BR />Then I try it with 1300 Bytes as the payload and the ping works!<BR /><BR /><STRONG>PING TEST WITH 1300 BYTES</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_2-1778369715172.png" style="width: 755px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71376iCAD9B072C08BDF16/image-dimensions/755x234?v=v2" width="755" height="234" role="button" title="DanielSRomero_2-1778369715172.png" alt="DanielSRomero_2-1778369715172.png" /></span></P> <P><BR />So, as a test, I changed the Prisma Access GlobalProtect tunnel MTU to 1300 bytes (<STRONG>default is 1400 bytes</STRONG>) and the <STRONG>gpupdate /force</STRONG> command works!<BR /><BR /><STRONG>PRISMA ACCESS GLOBAL PROTECT CONNECTION MTU ADJUSTMENT FROM 1400 TO 1300 BYTES</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_4-1778370034165.png" style="width: 755px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71378iD073ABA1DAFA9A0F/image-dimensions/755x251?v=v2" width="755" height="251" role="button" title="DanielSRomero_4-1778370034165.png" alt="DanielSRomero_4-1778370034165.png" /></span></P> <P>&nbsp;</P> <P><BR /><BR /><STRONG>CMD GPUPDATE /FORCE SUCCESFULLY<BR /></STRONG></P> <P>C:\Users\pcmolinaa&gt;gpupdate /force<BR />Updating policy...</P> <P><BR />The computer policy update completed successfully.</P> <P><BR /><STRONG>Conclusions:</STRONG><BR /><BR />- Some device in the path, most likely the on-premises NGFW, was dropping the LDAP packets because it has a lower MTU and the packets are sent with the DF bit set, disabling IP fragmentation and forcing the drop by some peer.<BR /><BR /><BR /></P> <P>Thank you for your time, and I hope this information is helpful in your daily cybersecurity work. I would greatly appreciate your support by liking or accepting this as a useful post; it would help me a lot in becoming a CyberElite!</P> <P><SPAN><BR />Best Regards,</SPAN><BR /><BR /><SPAN>Daniel Romero</SPAN><BR /><SPAN>Senior Network/Security Engineer</SPAN><BR /><SPAN>PANW Partner<BR /><BR /><LI-PRODUCT title="Prisma Access" id="Prisma_Access"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="NGFW" id="NGFW"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;</SPAN></P> Sun, 10 May 2026 00:08:09 GMT DanielS.Romero 2026-05-10T00:08:09Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/solved-gpudate-force-doesn-t-work-with-global-protect/m-p/1253712#M7373 <P>Hello LiveCommunity Team!<BR /><BR /></P> <P>I created this post to share my experience regarding an issue involving GlobalProtect users from Prisma Access who attempt to run <STRONG>gpupdate /force</STRONG> to update GPO policies from the DC server, and who encounter the following error:<BR /><BR /><STRONG>CMD ERROR GPUPDATE /FORCE<BR /></STRONG>C:\WINDOWS\system32&gt;gpupdate /force</P> <P>&nbsp;</P> <P>Updating policy...<BR /><BR /><SPAN>User policy cannot be updated successfully due to the following errors:</SPAN><BR /><BR /><STRONG>Group policy cannot be processed because it cannot connect to a domain controller over the network. This condition may be temporary. A success message may be generated once the computer connects to the domain controller and the group policy is processed successfully. Contact your administrator.</STRONG></P> <P>&nbsp;</P> <P>- Given this error, I checked the GlobalProtect source IP logs and everything appeared to be allowed.<BR /><BR /></P> <P>Then, I tried pinging from an affected endpoint with a custom length and the DF "<STRONG>Don't Fragment</STRONG>" bit active set to 1350 bytes, and the ping was dropped by fragmentation needed. as shown below:</P> <P><BR /><STRONG>PING TEST WITH 1350 BYTES</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_1-1778369596055.png" style="width: 756px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71375iF1CDDCF26D31AF08/image-dimensions/756x170?v=v2" width="756" height="170" role="button" title="DanielSRomero_1-1778369596055.png" alt="DanielSRomero_1-1778369596055.png" /></span></P> <P><BR />Then I try it with 1300 Bytes as the payload and the ping works!<BR /><BR /><STRONG>PING TEST WITH 1300 BYTES</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_2-1778369715172.png" style="width: 755px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71376iCAD9B072C08BDF16/image-dimensions/755x234?v=v2" width="755" height="234" role="button" title="DanielSRomero_2-1778369715172.png" alt="DanielSRomero_2-1778369715172.png" /></span></P> <P><BR />So, as a test, I changed the Prisma Access GlobalProtect tunnel MTU to 1300 bytes (<STRONG>default is 1400 bytes</STRONG>) and the <STRONG>gpupdate /force</STRONG> command works!<BR /><BR /><STRONG>PRISMA ACCESS GLOBAL PROTECT CONNECTION MTU ADJUSTMENT FROM 1400 TO 1300 BYTES</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_4-1778370034165.png" style="width: 755px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71378iD073ABA1DAFA9A0F/image-dimensions/755x251?v=v2" width="755" height="251" role="button" title="DanielSRomero_4-1778370034165.png" alt="DanielSRomero_4-1778370034165.png" /></span></P> <P>&nbsp;</P> <P><BR /><BR /><STRONG>CMD GPUPDATE /FORCE SUCCESFULLY<BR /></STRONG></P> <P>C:\Users\pcmolinaa&gt;gpupdate /force<BR />Updating policy...</P> <P><BR />The computer policy update completed successfully.</P> <P><BR /><STRONG>Conclusions:</STRONG><BR /><BR />- Some device in the path, most likely the on-premises NGFW, was dropping the LDAP packets because it has a lower MTU and the packets are sent with the DF bit set, disabling IP fragmentation and forcing the drop by some peer.<BR /><BR /><BR /></P> <P>Thank you for your time, and I hope this information is helpful in your daily cybersecurity work. I would greatly appreciate your support by liking or accepting this as a useful post; it would help me a lot in becoming a CyberElite!</P> <P><SPAN><BR />Best Regards,</SPAN><BR /><BR /><SPAN>Daniel Romero</SPAN><BR /><SPAN>Senior Network/Security Engineer</SPAN><BR /><SPAN>PANW Partner<BR /><BR /><LI-PRODUCT title="Prisma Access" id="Prisma_Access"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="NGFW" id="NGFW"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;</SPAN></P> Sun, 10 May 2026 00:08:09 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/solved-gpudate-force-doesn-t-work-with-global-protect/m-p/1253712#M7373 DanielS.Romero 2026-05-10T00:08:09Z