Problems connecting to Globalprotect after users install latest windows Cumulative updates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problems connecting to Globalprotect after users install latest windows Cumulative updates

L1 Bithead

There seems to be a bit of an issue connecting to Globalprotect after our windows machines have the latest microsoft cumulative updates, KB5018410 (windows 10) and KB5018418 (windows 11).

Looking in reddit it looks like other users are seeing the same problem as well, anyone got any ideas on how to fix this going forward? The only way we've been able to get users to connect is by uninstalling the latest update.

I've raised a call with our partner support but havent got anything back yet.

 

thanks

53 REPLIES 53

L0 Member

Solution 1:

 

We have tried to remove the portal configuration from the global protect the app and re-add it and fixed the issue.

 

Solution 2:

Then we removed the below two files from the PAN folder in windows.


C:\Program Files\Palo Alto Networks\GlobalProtect

Delete the PANPPAC_xxxxxx

 

Solution 3:

 

Revert the Microsoft patch's last option.

L0 Member

I appreciate the heads up on this.  I installed the Win10 October CU and am not having the issue.  My GP version is 5.2.10-6.  I'm running 10.0.11-h1.  We use SAML as our Portal Auth and Gateway auth.  I'm curious what are the factors leading to this issue. 

Cheers, I tried the first 2 solutions you proposed but they didn't work for us unfortunatly.  Only thing that works at the moment is reverting the latest patch.

L1 Bithead

Problems here too. I will try the solutions suggested and come back.

 

https://www.reddit.com/r/sysadmin/comments/y0z1xa/comment/is098qs/?utm_source=share&utm_medium=web2x...

Option 3 is the only solution that worked for us. Solutions 1 & 2 had no effect.

L1 Bithead

(P5068-T7268)Debug(2133): 10/12/22 19:48:31:395 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.0-58 (Microsoft Windows 10 Pro , 64-bit).
(P5068-T7268)Debug(2370): 10/12/22 19:48:31:395 open http session. agent is PAN GlobalProtect/6.1.0-58 (Microsoft Windows 10 Pro , 64-bit)
(P5068-T7268)Debug(2133): 10/12/22 19:48:31:396 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.0-58 (Microsoft Windows 10 Pro , 64-bit).
(P5068-T7268)Debug( 469): 10/12/22 19:48:31:400 winhttp SetSecureProtocol, hSession=2fd17910, bAllProtocol=0, gbFips=0
(P5068-T7268)Debug(2133): 10/12/22 19:48:31:400 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.0-58 (Microsoft Windows 10 Pro , 64-bit).
(P5068-T7268)Debug( 469): 10/12/22 19:48:31:400 winhttp SetSecureProtocol, hSession=2fd1b170, bAllProtocol=0, gbFips=0
(P5068-T7268)Debug(1799): 10/12/22 19:48:31:402 SetProxyForHost(https://**portaladdressredacted**/): timeout:60 AutoDetect:1 url: proxy: bypass: proxystr:
(P5068-T7268)Debug(7335): 10/12/22 19:48:31:416 ----Portal Pre-login starts----
(P5068-T15688)Debug(5615): 10/12/22 19:48:31:416 CaptivePortalDetectionThread: IsDetectingCaptivePortal=1, PreLoginIsDone=0
(P5068-T15688)Debug(5592): 10/12/22 19:48:31:416 CaptivePortalDetectionThread: wait (2000 ms) for captive portal detection event.
(P5068-T7268)Debug( 564): 10/12/22 19:48:31:432 Network is reachable
(P5068-T7268)Debug(7375): 10/12/22 19:48:31:433 Pre-login...,verifyportalcert=yes
(P5068-T7268)Debug(11649): 10/12/22 19:48:31:433 Check cert of server 27.32.130.102
(P5068-T7268)Debug(11664): 10/12/22 19:48:31:434 File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(P5068-T7268)Debug( 859): 10/12/22 19:48:31:434 SSL connecting to 27.32.130.102
(P5068-T7268)Debug( 564): 10/12/22 19:48:31:451 Network is reachable
(P5068-T7268)Debug(1341): 10/12/22 19:48:31:489 Failed to X509_LOOKUP_load_file
(P5068-T7268)Debug(1178): 10/12/22 19:48:31:489 Name **portaladdressredacted** matches pattern **domainredacted**
(P5068-T7268)Debug(1026): 10/12/22 19:48:31:489 Hostname **portaladdressredacted** matches sub alt name **domainredacted**
(P5068-T7268)Debug(1417): 10/12/22 19:48:31:489 OpenSSL alert write⚠️close notify
(P5068-T7268)Debug(2829): 10/12/22 19:48:31:490 encpostdata, encpostdata=000001A230528610, encpostdatalen=192
(P5068-T7268)Debug(3036): 10/12/22 19:48:31:490 REQID=9,IPADDR=**portaladdressredacted**,PORT=443,URL=/global-protect/prelogin.esp,POST=1,PROXY_AUTO=1,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=1,ADDITIONAL_CHECK=1,SCEP_CERT=,oid=
(P5068-T7268)Debug(1978): 10/12/22 19:48:31:490 Send response to client for request https_request
(P5068-T7268)Debug(3146): 10/12/22 19:48:31:598 receive pan_msg_ping, 3
(P5068-T7268)Debug(3146): 10/12/22 19:48:31:708 receive pan_msg_ping, 3
(P5068-T7268)Debug(3197): 10/12/22 19:48:31:710 GetHttpsResponse error is WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR,winhttpObj, error! ipaddress **portaladdressredacted**
bRetryWithoutCert is 0, bClientCertNeeded=0
(P5068-T7268)Debug(7499): 10/12/22 19:48:31:710 prelogin to portal result is
(null)
(P5068-T7268)Debug(7811): 10/12/22 19:48:31:710 Failed to pre-login to the portal **portaladdressredacted** with return value 0(0).
(P5068-T7268)Info (10489): 10/12/22 19:48:31:710 Portal config does not exist, try registry/plist
(P5068-T7268)Info (8675): 10/12/22 19:48:31:710 failed to retrieve value of the tag version.
(P5068-T7268)Debug(8686): 10/12/22 19:48:31:710 Failed to get portal config from portal **portaladdressredacted**.
(P5068-T7268)Debug(8728): 10/12/22 19:48:31:710 Try to restore last portal config from file.

L1 Bithead

It looks like, nobody cares about this Issue 😞

L1 Bithead

Hello!

 

I had no problem connecting via GP version 5.2.11-10 and Cumulative update KB5018418 (windows 11).

Can you confirm what GP version you were running and try 5.2.11-10 and see if that works?


Thanks

For certain you have to be lost to find a place that can't be found. Elseways, everyone would know where it was.

L1 Bithead

I have GP 6.0.1 and it is failing for all of our users.  I'll see if I can get an older version.

 

Thanks

L4 Transporter

This issues seems to specifically happen with SSO Authentication such SAML integration.  We are running clients 5.2.12 and 6.1 and both have the issue that pop up the SSO page.  In my lab clients that are using LDAP or Kerberos Authentication don't seem to be experiencing the issues.  Reverting the patch fixes the issue for us.

 

I'm testing changing what browser does authentication to system default (chrome) to see if this makes a difference.  I'm not sure that I can get an updated config file from the portal as I'm not sure if this is downloaded before or after authentication.

3rd option worked for my customer.

Interesting. This might be related to a change Microsoft made to the default browser and Edge. I found out the hard way awhile ago if you completely remove/disable Edge from a system it completely breaks GP. GP relies on Edge for portal/SAML/Auth. It is irrelevant to what the default browser is set to.

For certain you have to be lost to find a place that can't be found. Elseways, everyone would know where it was.

L1 Bithead

There's some discussion on Reddit about having TLS 1.2 as the minimum in the SSL/TLS profile for your gateway and portal.  Can anyone who's having the problem confirm the min. TLS version in their setups?

L1 Bithead

So our users are starting to experience this issue also. We were running a much older 4.1.6-12 GP Client on Windows x64.  But even after upgrading the GP Client to 6.10.0 we still have the same connection issues.  If we remove the KB5018410 from the client computer they can connect just fine. I do think it has to do with the Global Protect authentication.  We use LDAP (active-directory) to authenticate our Global Protect users and are having issues.  However, I can connect to some of my clients who are using Palo Alto with Global Protect and it will connect just fine even with the KB5018410 installed, however they just use local users configured on the firewall for Global Protect authentication.

  • 36039 Views
  • 53 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!