VPN users getting "password expires in 0 days" after upgrading to 7.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN users getting "password expires in 0 days" after upgrading to 7.0

L1 Bithead

Hi all,

Today I upgraded our PA-500 from 6.1.4 to 7.0.0.

After the reboot, when I log in with the GlobalProtect client, I receive the following message in red in the warnings/errors section:

"Password expires in 0 days."

We authenticate our VPN users to an AD domain using LDAP. The AD accounts are set to "password never expires".

I looked at the LDAP authentication profile, and the password expiry warning field requires a value of 1-255, and defaults to 7 days, even if I leave the field blank. Is there any way to turn this check off? My users' passwords don't have expire dates, and I'd rather they not receive this erroneous error message. It does not prevent them from logging in, and the VPN otherwise works normally.

Thanks,


Dan

9 REPLIES 9

L1 Bithead

I'm seeing the same thing as well, is there a fix for this?

@ mldillion

Here's the current status of the ticket I have open for this password expiry error:

"Would like to update you that the engineering team has identified the root cause for this issue and they are working on the fix. Will keep you posted with regular updates."

In the meantime, I have downgraded from 7.0.0 back to 6.1.4. Not just for this bug, there was also an issue with SSL sessions not being released correctly after the VPN client terminated, so eventually the firewall quit allowing new sessions and the portal page would not respond.

Dan

L3 Networker

Hi all,

i have the same issue with PANOS 7.0.3 and GP 2.3.3.

Do you have any news regarding this issue?

 

Thanks in advance.

Jacopo

Hi @Jacopo_Vigano

 

Unfortunately I have the same issue. I called TAC Support to ask about and the information about this issue is that this bug is known and unfortunately the fix will not make it to 7.0.4.

With 7.0.5 this bug will be fixed.

 

Regards,

Remo.

 

 

Hi @Remo,

Thank you very much for your response.

We will wait 7.0.5 PANOS release.

 

Regards,

Jacopo

Excuse me if this has already been covered/solved. I upgraded to 7.0.4 last night and I am seeing the "Password expires in 0 days." message when connecting with GlobalProtect. At our site, I have also seen erroneous dates for password expiration on my Cisco AnyConnect clients and our support group has seen anomolies in Active Roles. The issue seems to have started with a change in our AD password policies. Here is what I could gather:

 

1. We changed our Active Directory 2008 r2 to use granular password policies. That seemed to set off this problem.

2. The admin said there is no AD object for granular settings that Palo Alto could use to calculate the correct password expiration value.

 

I'm trying to see if he can change the general AD settings to represent the expiration without using the granular settings.

Dear All,

this issue sould be fixed with PANOS 7.0.5.

Check the release note for more information.

 

Jacopo.

Was this issue fixed in 7.0.5+ ?

Community Team Member

From the 7.0.5 Release Notes :

 

Fixed an issue where some Active Directory (AD) servers were incorrectly displaying a Password expires in x days message even after selecting Password never expires on the AD server. With this fix, the AD server ignores the maximum password age (maxPwdAge) value when the Password never expires option is selected.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 8411 Views
  • 9 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!