This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
GlobalProtect Authentication failed Error code -1 after PAN-OS update
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: GlobalProtect Authentication failed Error code -1 after PAN-OS update
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
GlobalProtect Authentication failed Error code -1 after PAN-OS update
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-24-2019 06:49 PM
We are on PAN-OS 8.0.6 and have GlobalProtect and SAML w/ Okta setup. It has worked fine as far as I can recall.
However when we went to upgrade to 8.0.19 and any later version (after trying that one first), our VPN stopped working.
The client would just loop through Okta sending MFA prompts.
On the web client, we got this error: "Authentication failed Error code -1" with "/SAML20/SP/ACS" appended to the URL of the VPN site (after successfully authenticating with Okta.
When I downgrade PAN-OS back to 8.0.6, everything goes back to working just fine. No changes are made by us during the upgrade/downgrade at all.
Any advice/suggestions on what to do here?
15 REPLIES 15
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-24-2019 08:01 PM
Since you are hitting the ACS URL it would appear that the firewall is sending the request, but it isn't getting anything back from Okta. I'd make sure that you don't have any traffic getting dropped between Okta and your firewall over port 443, just to verify something within the update didn't modify your security policies to the point where it can't communicate.
If communicate comes back okay you should really contact TAC and have them verify your configuration and work with you to ensure that everything is working okay. If it isn't a communication issue you'll need to start looking at packet captures and a tool like the SAML DevTools extension to see exactly what your response is and ensure that everything actually lines up.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-24-2019 08:40 PM
Is TAC the PA support? If so I did send a case in.
As far as changes, would I be able to load configuration from old backup onto the newer OS to override any of those changes if there were any security changes for example?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-18-2020 03:07 PM
Did you find a solution? I am having the same issue as well.
Related Content
- Brute Force GlobalProtect Portal via GP app in Custom Signatures
- Issue using MFA in GlobalProtect ) in GlobalProtect Discussions
- Global Protect multiple VPN and multiple authentication methods in General Topics
- Intense SSO failures in Cortex XDR Discussions
- GlobalProtect is not authenticating via SAML while connecting via MAC-OS in GlobalProtect Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks