- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-12-2022 10:42 AM
There seems to be a bit of an issue connecting to Globalprotect after our windows machines have the latest microsoft cumulative updates, KB5018410 (windows 10) and KB5018418 (windows 11).
Looking in reddit it looks like other users are seeing the same problem as well, anyone got any ideas on how to fix this going forward? The only way we've been able to get users to connect is by uninstalling the latest update.
I've raised a call with our partner support but havent got anything back yet.
thanks
10-12-2022 11:30 AM
Solution 1:
We have tried to remove the portal configuration from the global protect the app and re-add it and fixed the issue.
Solution 2:
Then we removed the below two files from the PAN folder in windows.
C:\Program Files\Palo Alto Networks\GlobalProtect
Delete the PANPPAC_xxxxxx
Solution 3:
Revert the Microsoft patch's last option.
10-12-2022 12:36 PM
I appreciate the heads up on this. I installed the Win10 October CU and am not having the issue. My GP version is 5.2.10-6. I'm running 10.0.11-h1. We use SAML as our Portal Auth and Gateway auth. I'm curious what are the factors leading to this issue.
10-12-2022 01:52 PM
Cheers, I tried the first 2 solutions you proposed but they didn't work for us unfortunatly. Only thing that works at the moment is reverting the latest patch.
10-12-2022 02:56 PM
Problems here too. I will try the solutions suggested and come back.
10-12-2022 03:14 PM
Option 3 is the only solution that worked for us. Solutions 1 & 2 had no effect.
10-12-2022 03:28 PM
(P5068-T7268)Debug(2133): 10/12/22 19:48:31:395 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.0-58 (Microsoft Windows 10 Pro , 64-bit).
(P5068-T7268)Debug(2370): 10/12/22 19:48:31:395 open http session. agent is PAN GlobalProtect/6.1.0-58 (Microsoft Windows 10 Pro , 64-bit)
(P5068-T7268)Debug(2133): 10/12/22 19:48:31:396 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.0-58 (Microsoft Windows 10 Pro , 64-bit).
(P5068-T7268)Debug( 469): 10/12/22 19:48:31:400 winhttp SetSecureProtocol, hSession=2fd17910, bAllProtocol=0, gbFips=0
(P5068-T7268)Debug(2133): 10/12/22 19:48:31:400 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.0-58 (Microsoft Windows 10 Pro , 64-bit).
(P5068-T7268)Debug( 469): 10/12/22 19:48:31:400 winhttp SetSecureProtocol, hSession=2fd1b170, bAllProtocol=0, gbFips=0
(P5068-T7268)Debug(1799): 10/12/22 19:48:31:402 SetProxyForHost(https://**portaladdressredacted**/): timeout:60 AutoDetect:1 url: proxy: bypass: proxystr:
(P5068-T7268)Debug(7335): 10/12/22 19:48:31:416 ----Portal Pre-login starts----
(P5068-T15688)Debug(5615): 10/12/22 19:48:31:416 CaptivePortalDetectionThread: IsDetectingCaptivePortal=1, PreLoginIsDone=0
(P5068-T15688)Debug(5592): 10/12/22 19:48:31:416 CaptivePortalDetectionThread: wait (2000 ms) for captive portal detection event.
(P5068-T7268)Debug( 564): 10/12/22 19:48:31:432 Network is reachable
(P5068-T7268)Debug(7375): 10/12/22 19:48:31:433 Pre-login...,verifyportalcert=yes
(P5068-T7268)Debug(11649): 10/12/22 19:48:31:433 Check cert of server 27.32.130.102
(P5068-T7268)Debug(11664): 10/12/22 19:48:31:434 File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(P5068-T7268)Debug( 859): 10/12/22 19:48:31:434 SSL connecting to 27.32.130.102
(P5068-T7268)Debug( 564): 10/12/22 19:48:31:451 Network is reachable
(P5068-T7268)Debug(1341): 10/12/22 19:48:31:489 Failed to X509_LOOKUP_load_file
(P5068-T7268)Debug(1178): 10/12/22 19:48:31:489 Name **portaladdressredacted** matches pattern **domainredacted**
(P5068-T7268)Debug(1026): 10/12/22 19:48:31:489 Hostname **portaladdressredacted** matches sub alt name **domainredacted**
(P5068-T7268)Debug(1417): 10/12/22 19:48:31:489 OpenSSL alert write⚠️close notify
(P5068-T7268)Debug(2829): 10/12/22 19:48:31:490 encpostdata, encpostdata=000001A230528610, encpostdatalen=192
(P5068-T7268)Debug(3036): 10/12/22 19:48:31:490 REQID=9,IPADDR=**portaladdressredacted**,PORT=443,URL=/global-protect/prelogin.esp,POST=1,PROXY_AUTO=1,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=1,ADDITIONAL_CHECK=1,SCEP_CERT=,oid=
(P5068-T7268)Debug(1978): 10/12/22 19:48:31:490 Send response to client for request https_request
(P5068-T7268)Debug(3146): 10/12/22 19:48:31:598 receive pan_msg_ping, 3
(P5068-T7268)Debug(3146): 10/12/22 19:48:31:708 receive pan_msg_ping, 3
(P5068-T7268)Debug(3197): 10/12/22 19:48:31:710 GetHttpsResponse error is WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR,winhttpObj, error! ipaddress **portaladdressredacted**
bRetryWithoutCert is 0, bClientCertNeeded=0
(P5068-T7268)Debug(7499): 10/12/22 19:48:31:710 prelogin to portal result is
(null)
(P5068-T7268)Debug(7811): 10/12/22 19:48:31:710 Failed to pre-login to the portal **portaladdressredacted** with return value 0(0).
(P5068-T7268)Info (10489): 10/12/22 19:48:31:710 Portal config does not exist, try registry/plist
(P5068-T7268)Info (8675): 10/12/22 19:48:31:710 failed to retrieve value of the tag version.
(P5068-T7268)Debug(8686): 10/12/22 19:48:31:710 Failed to get portal config from portal **portaladdressredacted**.
(P5068-T7268)Debug(8728): 10/12/22 19:48:31:710 Try to restore last portal config from file.
10-13-2022 06:06 AM
It looks like, nobody cares about this Issue 😞
10-13-2022 07:54 AM
Hello!
I had no problem connecting via GP version 5.2.11-10 and Cumulative update KB5018418 (windows 11).
Can you confirm what GP version you were running and try 5.2.11-10 and see if that works?
Thanks
10-13-2022 10:32 AM - edited 10-13-2022 10:34 AM
This issues seems to specifically happen with SSO Authentication such SAML integration. We are running clients 5.2.12 and 6.1 and both have the issue that pop up the SSO page. In my lab clients that are using LDAP or Kerberos Authentication don't seem to be experiencing the issues. Reverting the patch fixes the issue for us.
I'm testing changing what browser does authentication to system default (chrome) to see if this makes a difference. I'm not sure that I can get an updated config file from the portal as I'm not sure if this is downloaded before or after authentication.
10-13-2022 10:32 AM
3rd option worked for my customer.
10-13-2022 10:35 AM
Interesting. This might be related to a change Microsoft made to the default browser and Edge. I found out the hard way awhile ago if you completely remove/disable Edge from a system it completely breaks GP. GP relies on Edge for portal/SAML/Auth. It is irrelevant to what the default browser is set to.
10-13-2022 10:53 AM
There's some discussion on Reddit about having TLS 1.2 as the minimum in the SSL/TLS profile for your gateway and portal. Can anyone who's having the problem confirm the min. TLS version in their setups?
10-13-2022 10:56 AM
So our users are starting to experience this issue also. We were running a much older 4.1.6-12 GP Client on Windows x64. But even after upgrading the GP Client to 6.10.0 we still have the same connection issues. If we remove the KB5018410 from the client computer they can connect just fine. I do think it has to do with the Global Protect authentication. We use LDAP (active-directory) to authenticate our Global Protect users and are having issues. However, I can connect to some of my clients who are using Palo Alto with Global Protect and it will connect just fine even with the KB5018410 installed, however they just use local users configured on the firewall for Global Protect authentication.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!