Problems connecting to Globalprotect after users install latest windows Cumulative updates

The only other thing I had done prior to installing the updated certificate was to go in to the Device->Certificate Management->SSL/TLS Service Profile and changed my service profile from Min Version TLSv1.0 to TLSv1.2 and had left the max version at Max and commit it but that did not fix the issue.  So then I generated a new go daddy cert and installed it and committed it and it started working.  So then I went back and changed the min version back to TLSv1.0 and committed that and it was still working.  Also I just want to clarify that I updated the certificate that is installed on the Palo Alto that is used in my SSL/TLS Service Profile which that profile is then used by my Global Protect Portals and also for the public facing Global Protect portal.  I don't require the global protect clients to have a certificate installed which I think is an additional security option.  This is the certificate that if you went to https://yourportaldnsname in a browser would show up in the developer tools.  My original one was still valid until 10/24/2022 but it was created on 9/22/2021 so while it was still valid it was issued more than 365 days ago.  But maybe messing with the min version setting in the tls profile did something even though I set it back to the way it was?

Great info to know, thanks for sharing!   Can you share any details on the PAN-OS versions and the SSL/TLS profiles used at each customer?

If you browse to the portal address of your clients portal that is not working with google chrome does the portal site come up properly giving you the login option?  if so if you go to the developer tools  by hitting F12 and then select the Security option in developer tools and view the certificate what is the issue date and expiration date?  Are they more than 365 days apart?  If so get a new updated cert that is only good for one year.  That was my issue that fixed it.  For additional info my PAN OS version 10.2.1 and I had the issue with global protect clients 4.1.6-12 and also with the latest version of the global protect client 6.1.0 after I got a new cert everything started working for both versions of the global protect client and my SSL/TLS Service Profile under Device->Certificate Management is set to Min Version :TLSv1.0 and Max Version: Max

You might be able to figure something out by installing Wireshark on a computer with the Windows Update installed an then remove the update.  Just load wireshark and then try to connect to the VPN portal that is not working and then right click on some of of the traffic to that portals IP address and filter it to that address.  Then screen shot it and then remove the windows update and have it try and connect again and compare.  Attached is a side by side comparison of the wireshark outputs that I did (with my portal IP redacted) that got me thinking about the certs.

you will see that the machine with the update installed tries to connect to the portal with TLSv1.2 so that's good but it is not successful so then it tries to drop to TLSv1 which would definitely not work.  where on the right hand side I had a machine where I had removed the update and you see it tries to connect TLSv1.2 and then it exchanges client keys which tipped me off that something had to be wrong with the certificate. And after changing the cert I was totally fine.

You could also export the debug logs out of your global protect client under settings and troubleshooting and open the zip file it exports and look in the PanGPS.log file at the bottom which would show you the last connection.  I am also attaching a side by side comparison of those logs.  You will see in the left panel where the windows update is installed it does not actually get to the prelogin and instead gives a WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL error.

Hopefully this helps you.

I reissued my cert to only have a 364-day life span, but no luck.  Any patched machine will show a Connection Failed.  I really wish I had some update so I knew if I was going to have to replace SAML, or anything that will let me patch my laptops.  My user base has been great so far, but that will only last so long.

See my reply to ChrisCon2355 above and check out the screen shots.  What do you see if you install wireshark on one of the patched machines?  Do you see it trying using TLS 1.2 and then dropping down?  Also what about your logs from the global protect client? Do you see a WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL error?  wondering what else might be causing your issue. 

What about your SSL/TLS Service Profile on the firewall under Device->Certificate Management is set to Min Version :TLSv1.0 and Max Version: Max? or do you have a lower max version forcing the clients to use TLS 1.0 or TLS 1.1 that Microsoft is now disabling in that update?

I have my Min TLS at 1.2 and Max is Max.  I do not see "WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL" error.  We are using SAML to Azure for Auth

This is just before failure:

receive pan_msg_ping, 3

receive pan_msg_ping, 3

Successful connection:

receive pan_msg_ping, 1

Portal config digest matched

@pontim Our configuration is almost identical to yours other than we are using SAML 2.0 against Azure Enterprise application in combination with certificates for pre-login/always-on.  Interestingly enough, our issue doesn't seem to be cropping up when connecting externally, but internally when a laptop is connected to the corporate LAN and tries to authenticate against the portal trying to pull the latest configuration. 

Seems to impact internal LAN and outside users in my case. Forcing TLS 2.0, Okta SAML for auth, latest client in GP 5 update train. Only fix this far is to remove the problem KB. All messing with certs and registry settings has done nothing to change situation.