01-10-2022 09:53 AM
I'm using machine based certificate authentication for autovpn with Global Protect. It's mostly working with about
500 connected. But I get some occasional complaints from busy end users who are hard to schedule for
troubleshooting. So initially I am working on the back end. In logging I see fairly often "Cookie Expired"
error. Yet I'm not using Cookie for authentication at the portal or gateway. At least I don't think so.
Anyone have a thought as to what this error could be about? How to troubleshoot? (Especially
from the back end.) Thank you.
01-11-2022 11:12 AM - edited 01-11-2022 11:23 AM
The client always seems to try the cookie first if it exists (at least in my testing, not sure if there is an GP client auth flowchart around). So if you have cookie gen in Gateway, then whenever the GP client successfully auths to the gateway it will get a new cookie. When the GP client tries to reconnect to the gateway either because of network disconnect, timeout, or VPN expiration, the client will try to reconnect to the gateway using the cookie. If that succeeds it gets a new cookie generated. If that fails it will try other auth methods. When the client tries to reconnect to the portal (every 24 hours by default I believe), it will also try to use the same cookie from the gateway for auth. Since you don't have accept cookie on the portal, that will always fail.
From the System logs, you should be able to see where the portal and gateway are specifically generating/allowing/denying the cookie. Pay close attention to the Event field, it may be globalprotectportal-... or globalprotectgateway-..., but it all seems to blur together when I quickly look at it.
( subtype eq globalprotect ) and ( description contains 'cookie' )
There is a cookie lifetime on the portal and gateway auth override, but that seems to apply to the portal/gateway acceptance, the cookie seems to have an infinite lifetime on the client. Once given a cookie, the client will always try to use it until rebooted (I haven't found documentation or fully tested this, but it seems like what is happening).
01-11-2022 07:41 AM
If you generate a cookie for auth anywhere (portal or gateway), the GP client seem to always use it as a first auth method, even if the connected-to resource doesn't accept it anywhere. Check your configs to see if you are generating a cookie somewhere.
Network -> Portals -> <portal> -> Agent -> <profile> -> Authentication -> Authentication Override
Network -> Gateway -> <gateway> -> Agent -> Client Settings -> <profile> -> Authentication Override
01-11-2022 08:10 AM - edited 01-11-2022 10:18 AM
Oh my - you're right. Over-ride w cookie business is there in the gateway. Generate Cookie for auth override and Accept cookie for auth override. Never noticed this. What's the likely implication of this? If I look at the logs for my own laptop GP auto VPN no certificate is coming into play and it just works. But I see others where it is coming into play. Does it try cookie if the certificate auth fails perhaps?
01-11-2022 11:12 AM - edited 01-11-2022 11:23 AM
The client always seems to try the cookie first if it exists (at least in my testing, not sure if there is an GP client auth flowchart around). So if you have cookie gen in Gateway, then whenever the GP client successfully auths to the gateway it will get a new cookie. When the GP client tries to reconnect to the gateway either because of network disconnect, timeout, or VPN expiration, the client will try to reconnect to the gateway using the cookie. If that succeeds it gets a new cookie generated. If that fails it will try other auth methods. When the client tries to reconnect to the portal (every 24 hours by default I believe), it will also try to use the same cookie from the gateway for auth. Since you don't have accept cookie on the portal, that will always fail.
From the System logs, you should be able to see where the portal and gateway are specifically generating/allowing/denying the cookie. Pay close attention to the Event field, it may be globalprotectportal-... or globalprotectgateway-..., but it all seems to blur together when I quickly look at it.
( subtype eq globalprotect ) and ( description contains 'cookie' )
There is a cookie lifetime on the portal and gateway auth override, but that seems to apply to the portal/gateway acceptance, the cookie seems to have an infinite lifetime on the client. Once given a cookie, the client will always try to use it until rebooted (I haven't found documentation or fully tested this, but it seems like what is happening).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
