VPN users getting "password expires in 0 days" after upgrading to 7.0

Reply
Highlighted
L1 Bithead

VPN users getting "password expires in 0 days" after upgrading to 7.0

Hi all,

Today I upgraded our PA-500 from 6.1.4 to 7.0.0.

After the reboot, when I log in with the GlobalProtect client, I receive the following message in red in the warnings/errors section:

"Password expires in 0 days."

We authenticate our VPN users to an AD domain using LDAP. The AD accounts are set to "password never expires".

I looked at the LDAP authentication profile, and the password expiry warning field requires a value of 1-255, and defaults to 7 days, even if I leave the field blank. Is there any way to turn this check off? My users' passwords don't have expire dates, and I'd rather they not receive this erroneous error message. It does not prevent them from logging in, and the VPN otherwise works normally.

Thanks,


Dan

Tags (2)
Highlighted
L1 Bithead

I'm seeing the same thing as well, is there a fix for this?

L1 Bithead

@ mldillion

Here's the current status of the ticket I have open for this password expiry error:

"Would like to update you that the engineering team has identified the root cause for this issue and they are working on the fix. Will keep you posted with regular updates."

In the meantime, I have downgraded from 7.0.0 back to 6.1.4. Not just for this bug, there was also an issue with SSL sessions not being released correctly after the VPN client terminated, so eventually the firewall quit allowing new sessions and the portal page would not respond.

Dan

Highlighted
L3 Networker

Hi all,

i have the same issue with PANOS 7.0.3 and GP 2.3.3.

Do you have any news regarding this issue?

 

Thanks in advance.

Jacopo

Highlighted
Cyber Elite

Hi @Jacopo_Vigano

 

Unfortunately I have the same issue. I called TAC Support to ask about and the information about this issue is that this bug is known and unfortunately the fix will not make it to 7.0.4.

With 7.0.5 this bug will be fixed.

 

Regards,

Remo.

 

 

Highlighted
L3 Networker

Hi @vsys_remo,

Thank you very much for your response.

We will wait 7.0.5 PANOS release.

 

Regards,

Jacopo

Highlighted
L0 Member

Excuse me if this has already been covered/solved. I upgraded to 7.0.4 last night and I am seeing the "Password expires in 0 days." message when connecting with GlobalProtect. At our site, I have also seen erroneous dates for password expiration on my Cisco AnyConnect clients and our support group has seen anomolies in Active Roles. The issue seems to have started with a change in our AD password policies. Here is what I could gather:

 

1. We changed our Active Directory 2008 r2 to use granular password policies. That seemed to set off this problem.

2. The admin said there is no AD object for granular settings that Palo Alto could use to calculate the correct password expiration value.

 

I'm trying to see if he can change the general AD settings to represent the expiration without using the granular settings.

Highlighted
L3 Networker

Dear All,

this issue sould be fixed with PANOS 7.0.5.

Check the release note for more information.

 

Jacopo.

Highlighted
L3 Networker

Was this issue fixed in 7.0.5+ ?

Highlighted
Community Team Member

From the 7.0.5 Release Notes :

 

Fixed an issue where some Active Directory (AD) servers were incorrectly displaying a Password expires in x days message even after selecting Password never expires on the AD server. With this fix, the AD server ignores the maximum password age (maxPwdAge) value when the Password never expires option is selected.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!