MFA "SSL Connect Error"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

MFA "SSL Connect Error"

L4 Transporter

I am testing Multi Factor Authentication with Okta. I have configured everything (including certificate profile) as per the guide as well as Okta specific YouTube video, The first factor (active directory auth) is working fine, however, I am getting "SSL Connect Error" in the authentication logs. I could see the 443 connections going to Okta. How can I troubleshoot the issue? How do I get visibility in the SSL connect error?

 

> test mfa-vendors mfa-server-profile <mfa-profile-name>

{"res":"FAIL","msg":"SSL connect error"}
1 accepted solution

Accepted Solutions

@Willowjw

 

As per PAN support,

It is a known issue - PAN-95152 (TLS connection to Okta server is rejected because of TLS 1.0 from FW). It is reported on 8.1.0 and fixed versions are 8.0.13 (release ETA 27 sept), 8.1.2.

View solution in original post

6 REPLIES 6

L4 Transporter

I captured the traffic and can see that the firewall is using TLS 1.0 for auth requests. Is there any way to enforce TLS 1.2? Okta has enforced TLS 1.2.

L0 Member

We are encountering exact same issue the only difference is we are unable to find any attempt traffic against Okta. Keen to find out a way to see more "SSL Connect Error"

The firewall I am testing MFA on, is in the internal network and I have one more PAN firewall on the internet edge. I did packet capture to confirm behavior from the PAN firewall (TLS 1.0) and my machine browser (TLS 1.2).

@Willowjw

 

As per PAN support,

It is a known issue - PAN-95152 (TLS connection to Okta server is rejected because of TLS 1.0 from FW). It is reported on 8.1.0 and fixed versions are 8.0.13 (release ETA 27 sept), 8.1.2.

hi, this will be fixed in the next minor release of PANOS, 8.0.13 and 8.1.2

I didn't see PAN-95152 in the release notes for 8.0.13. However, after upgrading to 8.0.13 my MFA cert profile issue disappeared and is successfully authenticating users hitting authentication policies now.

 

I am not getting prompts in GlobalProtect for non-web based applications still. That doesn't work on 8.1.3 either. I had it working in the 8.0.0 beta but hadn't tried it out since but now have a use case.

  • 1 accepted solution
  • 7325 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!