Issues with GlobalProtect 6.3.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issues with GlobalProtect 6.3.0

L2 Linker

After upgrade to 6.3.0 i am unable to login to GP from 2 different portals and gateways.

on first attempt got the browser page and the Okta authentication successful.

then another login window popped up but blank and gray and client popup says connecting for the past 15 minutes.

With 6.1.4 the second window i had to perform a second login process and okta verification.

I was hoping the use of Edge woud not need the second window.

the Portals and gateways are on a pa5220 on two different vendors and interfaces.

disconnecting and reconnecting only duplicated the blank window.

 

Manny C
Sr. Network Engineer
1 accepted solution

Accepted Solutions

L2 Linker

I did open a support case for this issue along with issues with earlier releases 6.1.4 has dual logon and 6.1.5 has the blank screen the same as the 6.3.0 agents. the 6.3 was never resolved on its own but the 6.1.4 solution resoled both the 6.3 and th4 6.1.5 issues.

here is the solution from TAC for the dual logon issue which remove the second blank login screen.

Support solution!!!!!!!!!!!!!

I understand that you want to understand why a GlobalProtect user is prompted twice to put in credentials. Want to see how to bypass or avoid the second prompt.

In SAML having both options (Generate and accept cookies) enabled on portal and gateway may cause login errors due to the double SAML assertions.

Generate cookie on both Portal and Gateway, but accept it on Portal only
Use case: to avoid double authentication when gateway is using same authentication profile, but here gateway can “refresh” the cookie as well; this means that we can avoid re-authenticating to Portal when cookie expires.

When you have a chance can you please make this change on the gateway and run another test?

How to generate cookies on GlobalProtect Portal and use cookies for Gateway Authentication
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY

Manny C
Sr. Network Engineer

View solution in original post

2 REPLIES 2

Community Team Member

Hi @MannyCosta ,

 

GP 6.3.0 is a new release and still under monitoring status.

I'd recommend grabbing the GP debug files and open a support case for the behaviour you're seeing.

 

You can find the recommended releases on the release guidance page:

https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L2 Linker

I did open a support case for this issue along with issues with earlier releases 6.1.4 has dual logon and 6.1.5 has the blank screen the same as the 6.3.0 agents. the 6.3 was never resolved on its own but the 6.1.4 solution resoled both the 6.3 and th4 6.1.5 issues.

here is the solution from TAC for the dual logon issue which remove the second blank login screen.

Support solution!!!!!!!!!!!!!

I understand that you want to understand why a GlobalProtect user is prompted twice to put in credentials. Want to see how to bypass or avoid the second prompt.

In SAML having both options (Generate and accept cookies) enabled on portal and gateway may cause login errors due to the double SAML assertions.

Generate cookie on both Portal and Gateway, but accept it on Portal only
Use case: to avoid double authentication when gateway is using same authentication profile, but here gateway can “refresh” the cookie as well; this means that we can avoid re-authenticating to Portal when cookie expires.

When you have a chance can you please make this change on the gateway and run another test?

How to generate cookies on GlobalProtect Portal and use cookies for Gateway Authentication
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY

Manny C
Sr. Network Engineer
  • 1 accepted solution
  • 1899 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!