- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-12-2022 10:42 AM
There seems to be a bit of an issue connecting to Globalprotect after our windows machines have the latest microsoft cumulative updates, KB5018410 (windows 10) and KB5018418 (windows 11).
Looking in reddit it looks like other users are seeing the same problem as well, anyone got any ideas on how to fix this going forward? The only way we've been able to get users to connect is by uninstalling the latest update.
I've raised a call with our partner support but havent got anything back yet.
thanks
10-17-2022 09:50 PM
We've installed KB5020435 on some test devices tonight and have had success connecting with Global Protect. We will roll it out to our IT groups for additional testing, but so far a positive result.
10-17-2022 11:35 PM - edited 10-17-2022 11:42 PM
Today we re-issued the portal and gateway certificates with ECC-based certificates and it appears to have resolved the issue.
There is a big difference in the available cipher suites on Palo between RSA and Eliptic-Curve. My guess would be potential update has broken a handshake between one of the now legacy ciphers. It would be nice if Palo would give us more control over the available options, it also could be completely unrelated.
10-18-2022 07:58 AM
KB5020435 solved it 🙂
10-19-2022 02:30 AM
I still can't find solution for Windows 11, update from 17.10.2022 (KB5020387) doesn't help
October 17, 2022—KB5020387 (OS Build 22000.1100) Out-of-band (microsoft.com)
Any Idea?
10-20-2022 01:53 PM
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-tls-handshake-failures-in-ou... seems to have taken care of everything except Windows 11 (22H2). Has anyone found a solution/patch for that one? It is listed as a "Preview version", so I'm afraid I'll have to wait a bit. Also, has anyone seen an update provided by Palo Alto? Thanks!
10-24-2022 04:53 AM
Any news about 22H2 WIndows 11 ??
10-24-2022 01:45 PM
I had 5 users who were hard down due to GP in always-on mode. I had to uninstall manually with regedit to allow uninstall, then reinstall GP.
10-27-2022 02:19 PM - edited 10-27-2022 02:19 PM
Below KBs from MS for Windows 11 have helped resolve the issue for other customers. Please check which version are you running and then try to apply the patch accordingly.
KB5020387 fixed Win11 21H2
KB5018496 fixed Win11 22H2
10-28-2022 11:30 AM - edited 10-28-2022 11:48 AM
The issue is related to the Azure SAML authentication. It was okay if the GP authenticated with the on-prem LDAP.
# Solution 1. Update the fixed KBs to the client systems.
1. Microsoft KB5020435 fixed the issue on Windows 10.
2. Microsoft KB5020387 fixed the issue on Win11 21H2
3. Microsoft KB5018496 fixed the issue on Win11 22H2
# Solution 2. Remove the installed KB5018410
If you want to fix the problem immediately, you can just remove this KB from the impacted system. However, the proper solution would be Solution 1 which is the bug fixes.
# Solution 3. Change the GP app configurations
'Use Default Browser for SAML Authentication' is set to No (by default).
If you change this option to Yes, you should be able to connect to the VPN. However, this change brings a browser pop-up window, and the user needs a few more clicks.
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!