02-13-2025 09:50 AM
Hello.
so I have a strange issue.
for a setup we have a gp portal and gateway configured.
the authentication to both is an auth profile or sequence that involves sending a username and OTP token code to a radius server.
the user has to enter both 1 otp for the portal login and then a differnt otp for the gateway login.
I understood enabling "generate auth cookie" on the portal and "accept auth cookie" on the gateway should prevent the double OTP requirement.
However this does not seem to work at all. no matter what I configure I always have to provide 2 otp when I log in.
I enter the portal OTP, I briefly see: retrieving portal config, then find the best possible gateway and then get prompted for a 2nd otp.
on the firewall all these settings have been set:
generate auth cookie on the portal.
accept auth cookie on the gateway (using the same cert as the generate on portal
sso on windows has been set to no as the user logged in name on the laptop is not the same as the gp username.
save username has been set in the portal.
on the portal I have tried with all possible combinations of components requiring dynamic credentials on or off. no difference.
in the globalprotect logs on the firewall I see entries with event: portal-gen-cookie.
but afterwards I don't see that cookie getting used/presented anywhere.
in system logs only auth events are seen with auth protocol "chap" towards the radius, never one with auth protocol cookie.
when collecting pangps logs I think this is where the issue is but no idea why:
I think the cookie is created here:
(P6488-T10648)Debug( 169): 02/13/25 18:33:35:780 profileInfo username "john", profile path (null), server (null)
(P6488-T10648)Debug(2925): 02/13/25 18:33:35:786 Serialized portal user auth cookie to file C:\Users\"john"\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_"cookiefile".dat. 246 bytes.
(P6488-T10648)Debug(2710): 02/13/25 18:33:35:787 Serialize empty cookie for portal "portalurl" and pre-logon user
(P6488-T10648)Debug(2717): 02/13/25 18:33:35:788 SerializePortalPrelogonAuthCookie to file PanPPAC_"cookiefile2".dat
(P6488-T10648)Debug(10162): 02/13/25 18:33:35:788 Retrieved pre-logon-tunnel-rename-timeout value -1
(P6488-T10648)Debug(10170): 02/13/25 18:33:35:788 Retrieved user-switch-tunnel-rename-timeout value 0
and a bit later it seems the gateway doesn't find this?
(P6488-T20992)Debug(4101): 02/13/25 18:33:36:165 ----Gateway Login starts----
(P6488-T20992)Debug(13999): 02/13/25 18:33:36:165 Set to service bUseCCUserGateway 0 and ccUserNameGateway
(P6488-T20992)Debug(2182): 02/13/25 18:33:36:165 Update user name from to "john"
(P6488-T20992)Debug(6396): 02/13/25 18:33:36:165 OtpSaveCredential is save_username
(P6488-T20992)Debug(6434): 02/13/25 18:33:36:165 External network gateway without OTP authentication
(P6488-T20992)Debug(6497): 02/13/25 18:33:36:165 Need to prompt user enter gateway credential. Set dpgc to true.
(P6488-T20992)Debug( 41): 02/13/25 18:33:36:166 Roaming profile is false
(P6488-T20992)Debug( 169): 02/13/25 18:33:36:173 profileInfo username "john", profile path (null), server (null)
(P6488-T20992)Debug(2813): 02/13/25 18:33:36:176 Unserialized empty cookie for portal "portalurl" and user "john"
(P6488-T20992)Debug(2742): 02/13/25 18:33:36:176 Unserialized empty cookie for portal "portalurl" and pre-logon user.
(P6488-T20992)Debug(4167): 02/13/25 18:33:36:176 bIsEmptyUser is 0, bDPGCforManualOnlyGateway is 0, bDPGCNotforManualOnlyGateway is 0
(P6488-T20992)Debug(4172): 02/13/25 18:33:36:176 Collect user credential for gateway "portalurl" username "john", ccUsername , IsExtDPGC 0, IsIntDPGC 0, IsManualOnlyGateway 0, not connecting to manual gateway
(P6488-T20992)Debug(4183): 02/13/25 18:33:36:176 Gateway user "john"
(P6488-T20992)Debug(6853): 02/13/25 18:33:36:176 Gateway auth method: credential, auth src: (null)
02-14-2025 06:46 AM
If you look at GP release notes and search for "cookie" you see many different bugs over times (https://docs.paloaltonetworks.com/globalprotect/6-2/globalprotect-app-release-notes/globalprotect-ad...).
Try to log out from GlobalProtect on agent Settings page and log in again.
If this does not fix it then open case with support to analyze.
02-13-2025 10:43 AM
How many minutes old cookie your gateway accepts as valid?
What PANOS and GP agent version are you running? (There have been some bugs in the past that caused 2x OTP even with correct config).
02-13-2025 11:29 PM
the accept cookie has a time set currently of 30 minutes.
regarding global protect version on windows machines I've tested with a few number of versions, all have the same issue: 6.1.1, 6.2.3, 6.2.7
the firewall itself is currently running version 10.1.13
02-14-2025 06:15 AM
Monitor > Logs > GlobalProtect
Is portal-gen-cookie success?
Does gateway-auth try to use Cookie as auth method?
If it does and fails then what does ERROR column say about failure reason?
02-14-2025 06:37 AM - edited 02-14-2025 06:44 AM
That is just the strange thing.
I do see portal-gen-cookie.
attached screenshot is when I also activated generate cookie on the gateway so I even see gateway-gen-cookie.
but afterwards I don't see any attempts or errors trying to use a cookie which makes me think the error is somewhere on the gp client/clientside in providing or looking up the generated cookie.
02-14-2025 06:46 AM
If you look at GP release notes and search for "cookie" you see many different bugs over times (https://docs.paloaltonetworks.com/globalprotect/6-2/globalprotect-app-release-notes/globalprotect-ad...).
Try to log out from GlobalProtect on agent Settings page and log in again.
If this does not fix it then open case with support to analyze.
03-12-2025 02:00 AM
It took some time and afterwards I forgot to come back here and mark you answer as solution.
but there was indeed a bug in that panos version 10.1.13:
PAN-248651 - Fixed a GlobalProtect issue that prevented the firewall from sending authentication cookies.
and the fix versions are
10.1.14, 10.1.13-h1.
so despite the firewall logs showing that a cookie was generated on the firewall it seems it is never sent correctly to the client. which also explains the GPA logs regarding an Empty cookie and the issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
