Hello Livecommunity!
I'm facing an error with the Global Protect Agent 6.2.7 when an Apple Mac OS X 15.3.1 Sequoia tries to establish an SSL VPN connection with the Global Protect Portal; We see the next error on the DP CLI pcap global counters:
NGFW(active)> show counter global filter packet-filter yes delta yes
ssl_tls13_connection_error 1 0 error ssl pktproc TLS13: Unrecoverable error in openssl statemachine
sslv3 alert illegal parameter. Received fatal alert IllegalParameter from client
And these logs where the .193 is the Global Protect Portal IP address and the .170 is the Client public IP address:
NGFW DATA PLANE PCAP LOGS
Also on the NGFW logs there're somes decrypt errors on the traffic and decryptions logs says "sslv3 alert illegal parameter. Received fatal alert Illegal Parameter from client" When the Mac-OS Client try to negotiate the SSL VPN connection with TLS 1.3.
When the client uses TLS 1.0 the decrypt error says "Client and decrypt profile version mismatch. Supported client version bitmask: 0x08. Supported decrypt profile version bitmask: 0x60. " as below:
NGFW DECRYPTION ERRORS TLS 1.0 & TLS 1.3
These is a pcap on the Mac-OS device where the .193 is the Global Protect Portal IP address and the .108 is the Client private IP address.
MAC-OS DEVICE PCAP GLOBAL PROTECT AGENT CONNECTION
The Global Protect Agent on the Mac-OS says "The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect"
The openssl version on the Mac-OS is LibreSSL 3.3.6
The NGFW PAN-OS version is 11.1.5-h1
The TLS/SSL Service Profile we allowed connections from TLS 1.2 to TLS 1.3. (We want to avoid TLS 1.0 connections)
Anyone have an idea how to fix the Global Protect connection with the MAC device or know the meaning of the logs?
Thanks for your time!
