MFA "SSL Connect Error"

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

MFA "SSL Connect Error"

I am testing Multi Factor Authentication with Okta. I have configured everything (including certificate profile) as per the guide as well as Okta specific YouTube video, The first factor (active directory auth) is working fine, however, I am getting "SSL Connect Error" in the authentication logs. I could see the 443 connections going to Okta. How can I troubleshoot the issue? How do I get visibility in the SSL connect error?

 

> test mfa-vendors mfa-server-profile <mfa-profile-name>

{"res":"FAIL","msg":"SSL connect error"}

Accepted Solutions
Highlighted
L4 Transporter

@Willowjw

 

As per PAN support,

It is a known issue - PAN-95152 (TLS connection to Okta server is rejected because of TLS 1.0 from FW). It is reported on 8.1.0 and fixed versions are 8.0.13 (release ETA 27 sept), 8.1.2.

View solution in original post


All Replies
Highlighted
L4 Transporter

I captured the traffic and can see that the firewall is using TLS 1.0 for auth requests. Is there any way to enforce TLS 1.2? Okta has enforced TLS 1.2.

Highlighted
L0 Member

We are encountering exact same issue the only difference is we are unable to find any attempt traffic against Okta. Keen to find out a way to see more "SSL Connect Error"

Highlighted
L4 Transporter

The firewall I am testing MFA on, is in the internal network and I have one more PAN firewall on the internet edge. I did packet capture to confirm behavior from the PAN firewall (TLS 1.0) and my machine browser (TLS 1.2).

Highlighted
L4 Transporter

@Willowjw

 

As per PAN support,

It is a known issue - PAN-95152 (TLS connection to Okta server is rejected because of TLS 1.0 from FW). It is reported on 8.1.0 and fixed versions are 8.0.13 (release ETA 27 sept), 8.1.2.

View solution in original post

Highlighted
L3 Networker

hi, this will be fixed in the next minor release of PANOS, 8.0.13 and 8.1.2

Highlighted
L4 Transporter

I didn't see PAN-95152 in the release notes for 8.0.13. However, after upgrading to 8.0.13 my MFA cert profile issue disappeared and is successfully authenticating users hitting authentication policies now.

 

I am not getting prompts in GlobalProtect for non-web based applications still. That doesn't work on 8.1.3 either. I had it working in the 8.0.0 beta but hadn't tried it out since but now have a use case.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!