Problems connecting to Globalprotect after users install latest windows Cumulative updates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problems connecting to Globalprotect after users install latest windows Cumulative updates

L1 Bithead

There seems to be a bit of an issue connecting to Globalprotect after our windows machines have the latest microsoft cumulative updates, KB5018410 (windows 10) and KB5018418 (windows 11).

Looking in reddit it looks like other users are seeing the same problem as well, anyone got any ideas on how to fix this going forward? The only way we've been able to get users to connect is by uninstalling the latest update.

I've raised a call with our partner support but havent got anything back yet.

 

thanks

53 REPLIES 53

L0 Member

We've installed KB5020435 on some test devices tonight and have had success connecting with Global Protect. We will roll it out to our IT groups for additional testing, but so far a positive result.

L0 Member

Today we re-issued the portal and gateway certificates with ECC-based certificates and it appears to have resolved the issue.

There is a big difference in the available cipher suites on Palo between RSA and Eliptic-Curve. My guess would be potential update has broken a handshake between one of the now legacy ciphers. It would be nice if Palo would give us more control over the available options, it also could be completely unrelated.

L1 Bithead

KB5020435 solved it 🙂

L1 Bithead

I still can't find solution for Windows 11, update from 17.10.2022 (KB5020387) doesn't help 

October 17, 2022—KB5020387 (OS Build 22000.1100) Out-of-band (microsoft.com)

Any Idea?

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-tls-handshake-failures-in-ou... seems to have taken care of everything except Windows 11 (22H2).  Has anyone found a solution/patch for that one?  It is listed as a "Preview version", so I'm afraid I'll have to wait a bit.  Also, has anyone seen an update provided by Palo Alto?   Thanks!

Any news about 22H2  WIndows 11 ??

L0 Member

I had 5 users who were hard down due to GP in always-on mode. I had to uninstall manually with regedit to allow uninstall, then reinstall GP.

Below KBs from MS for Windows 11 have helped resolve the issue for other customers. Please check which version are you running and then try to apply the patch accordingly. 
KB5020387 fixed Win11 21H2

KB5018496 fixed Win11 22H2

L3 Networker

The issue is related to the Azure SAML authentication. It was okay if the GP authenticated with the on-prem LDAP.

 

# Solution 1. Update the fixed KBs to the client systems.

1. Microsoft KB5020435 fixed the issue on Windows 10.
2. Microsoft KB5020387 fixed the issue on Win11 21H2
3. Microsoft KB5018496 fixed the issue on Win11 22H2

 

# Solution 2. Remove the installed KB5018410

If you want to fix the problem immediately, you can just remove this KB from the impacted system. However, the proper solution would be Solution 1 which is the bug fixes.

 

# Solution 3. Change the GP app configurations

'Use Default Browser for SAML Authentication' is set to No (by default).

If you change this option to Yes, you should be able to connect to the VPN. However, this change brings a browser pop-up window, and the user needs a few more clicks.

 

Hope this helps!

 

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.
  • 36058 Views
  • 53 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!