Global Protect Cookie Expired Log Messages But Not Using Cookie Auth

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Global Protect Cookie Expired Log Messages But Not Using Cookie Auth

L3 Networker

I'm using machine based certificate authentication for autovpn with Global Protect. It's mostly working with about

500 connected. But I get some occasional complaints from busy end users who are hard to schedule for 

troubleshooting. So initially I am working on the back end. In logging I see fairly often "Cookie Expired" 

error. Yet I'm not using Cookie for authentication at the portal or gateway. At least I don't think so. 
Anyone have a thought as to what this error could be about? How to troubleshoot? (Especially

from the back end.) Thank you.

1 accepted solution

Accepted Solutions

L6 Presenter

The client always seems to try the cookie first if it exists (at least in my testing, not sure if there is an GP client auth flowchart around). So if you have cookie gen in Gateway, then whenever the GP client successfully auths to the gateway it will get a new cookie. When the GP client tries to reconnect to the gateway either because of network disconnect, timeout, or VPN expiration, the client will try to reconnect to the gateway using the cookie. If that succeeds it gets a new cookie generated. If that fails it will try other auth methods. When the client tries to reconnect to the portal (every 24 hours by default I believe), it will also try to use the same cookie from the gateway for auth. Since you don't have accept cookie on the portal, that will always fail.

 

From the System logs, you should be able to see where the portal and gateway are specifically generating/allowing/denying the cookie. Pay close attention to the Event field, it may be globalprotectportal-... or globalprotectgateway-..., but it all seems to blur together when I quickly look at it.

( subtype eq globalprotect ) and ( description contains 'cookie' )

 

There is a cookie lifetime on the portal and gateway auth override, but that seems to apply to the portal/gateway acceptance, the cookie seems to have an infinite lifetime on the client. Once given a cookie, the client will always try to use it until rebooted (I haven't found documentation or fully tested this, but it seems like what is happening).

View solution in original post

3 REPLIES 3

L6 Presenter

If you generate a cookie for auth anywhere (portal or gateway), the GP client seem to always use it as a first auth method, even if the connected-to resource doesn't accept it anywhere. Check your configs to see if you are generating a cookie somewhere.

Network -> Portals -> <portal> -> Agent -> <profile> -> Authentication -> Authentication Override

Network -> Gateway -> <gateway> -> Agent -> Client Settings -> <profile> -> Authentication Override

Oh my - you're right. Over-ride w cookie business is there in the gateway. Generate Cookie for auth override and Accept cookie for auth override. Never noticed this. What's the likely implication of this? If I look at the logs for my own laptop GP auto VPN no certificate is coming into play and it just works. But I see others where it is coming into play. Does it try cookie if the certificate auth fails perhaps?

L6 Presenter

The client always seems to try the cookie first if it exists (at least in my testing, not sure if there is an GP client auth flowchart around). So if you have cookie gen in Gateway, then whenever the GP client successfully auths to the gateway it will get a new cookie. When the GP client tries to reconnect to the gateway either because of network disconnect, timeout, or VPN expiration, the client will try to reconnect to the gateway using the cookie. If that succeeds it gets a new cookie generated. If that fails it will try other auth methods. When the client tries to reconnect to the portal (every 24 hours by default I believe), it will also try to use the same cookie from the gateway for auth. Since you don't have accept cookie on the portal, that will always fail.

 

From the System logs, you should be able to see where the portal and gateway are specifically generating/allowing/denying the cookie. Pay close attention to the Event field, it may be globalprotectportal-... or globalprotectgateway-..., but it all seems to blur together when I quickly look at it.

( subtype eq globalprotect ) and ( description contains 'cookie' )

 

There is a cookie lifetime on the portal and gateway auth override, but that seems to apply to the portal/gateway acceptance, the cookie seems to have an infinite lifetime on the client. Once given a cookie, the client will always try to use it until rebooted (I haven't found documentation or fully tested this, but it seems like what is happening).

  • 1 accepted solution
  • 14108 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!