Problems connecting to Globalprotect after users install latest windows Cumulative updates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Problems connecting to Globalprotect after users install latest windows Cumulative updates

L1 Bithead

There seems to be a bit of an issue connecting to Globalprotect after our windows machines have the latest microsoft cumulative updates, KB5018410 (windows 10) and KB5018418 (windows 11).

Looking in reddit it looks like other users are seeing the same problem as well, anyone got any ideas on how to fix this going forward? The only way we've been able to get users to connect is by uninstalling the latest update.

I've raised a call with our partner support but havent got anything back yet.

 

thanks

53 REPLIES 53

Interesting and thanks for clarifying as our certificate is 366 days.  I will see about getting this regenerated and see if it makes a difference.

The only other thing I had done prior to installing the updated certificate was to go in to the Device->Certificate Management->SSL/TLS Service Profile and changed my service profile from Min Version TLSv1.0 to TLSv1.2 and had left the max version at Max and commit it but that did not fix the issue.  So then I generated a new go daddy cert and installed it and committed it and it started working.  So then I went back and changed the min version back to TLSv1.0 and committed that and it was still working.  Also I just want to clarify that I updated the certificate that is installed on the Palo Alto that is used in my SSL/TLS Service Profile which that profile is then used by my Global Protect Portals and also for the public facing Global Protect portal.  I don't require the global protect clients to have a certificate installed which I think is an additional security option.  This is the certificate that if you went to https://yourportaldnsname in a browser would show up in the developer tools.  My original one was still valid until 10/24/2022 but it was created on 9/22/2021 so while it was still valid it was issued more than 365 days ago.  But maybe messing with the min version setting in the tls profile did something even though I set it back to the way it was?

L1 Bithead

After 5 days , we really don't have official statement about issue?

 

L0 Member

Within my support case the engineer acknowledged they are looking into it, that is as far as they were willing to go it seems.

 

I've most of the recommended changes without luck, TLS1.2/Max, new cert, most versions of GPVPN released in the past year, etc and not much progress.

L1 Bithead

We're supporting a few customers.
I can connect from same Global Protect client to Palo Alto customer1, but not to customer2. Since Windows 10 update.
Both have official *.domain certificates from the same issuer.
When connecting to customer1 a part of the certicate is shown in PanGPA.log and a file "C:\Users\xxx\AppData\Local\Palo Alto Networks\GlobalProtect\ServerCert.pan" is written.
But with customer2 we see this "Server cert query failed with error 12019" in PanGPA.log

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!