This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

[SOLVED] GPUDATE /FORCE DOESN'T WORK WITH GLOBAL PROTECT

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[SOLVED] GPUDATE /FORCE DOESN'T WORK WITH GLOBAL PROTECT

DanielS.Romero
L2 Linker

‎05-09-2026 04:58 PM - edited ‎05-09-2026 05:08 PM

Hello LiveCommunity Team!

I created this post to share my experience regarding an issue involving GlobalProtect users from Prisma Access who attempt to run gpupdate /force to update GPO policies from the DC server, and who encounter the following error:

CMD ERROR GPUPDATE /FORCE
C:\WINDOWS\system32>gpupdate /force

 

Updating policy...

User policy cannot be updated successfully due to the following errors:

Group policy cannot be processed because it cannot connect to a domain controller over the network. This condition may be temporary. A success message may be generated once the computer connects to the domain controller and the group policy is processed successfully. Contact your administrator.

 

- Given this error, I checked the GlobalProtect source IP logs and everything appeared to be allowed.

Then, I tried pinging from an affected endpoint with a custom length and the DF "Don't Fragment" bit active set to 1350 bytes, and the ping was dropped by fragmentation needed. as shown below:


PING TEST WITH 1350 BYTES

DanielSRomero_1-1778369596055.png


Then I try it with 1300 Bytes as the payload and the ping works!

PING TEST WITH 1300 BYTES

DanielSRomero_2-1778369715172.png


So, as a test, I changed the Prisma Access GlobalProtect tunnel MTU to 1300 bytes (default is 1400 bytes) and the gpupdate /force command works!

PRISMA ACCESS GLOBAL PROTECT CONNECTION MTU ADJUSTMENT FROM 1400 TO 1300 BYTES

DanielSRomero_4-1778370034165.png

 



CMD GPUPDATE /FORCE SUCCESFULLY

C:\Users\pcmolinaa>gpupdate /force
Updating policy...


The computer policy update completed successfully.


Conclusions:

- Some device in the path, most likely the on-premises NGFW, was dropping the LDAP packets because it has a lower MTU and the packets are sent with the DF bit set, disabling IP fragmentation and forcing the drop by some peer.


Thank you for your time, and I hope this information is helpful in your daily cybersecurity work. I would greatly appreciate your support by liking or accepting this as a useful post; it would help me a lot in becoming a CyberElite!


Best Regards,

Daniel Romero
Senior Network/Security Engineer
PANW Partner

Prisma Access NGFW GlobalProtect 

Prisma Access
Thumbnail of Prisma Access
Palo Alto Networks
Prisma Access
Secure Access Service Edge
View on Product Page
NGFW
Thumbnail of NGFW
Palo Alto Networks
NGFW
Network Security
View on Product Page
GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
0 Likes Likes
0 REPLIES 0
  • 35 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks