Global Protect Mac-OS Received fatal alert IllegalParameter from client

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect Mac-OS Received fatal alert IllegalParameter from client

L1 Bithead

Hello team,

I have an issue with the Global Protect 6.2.7 app running on an Apple Mac OS X Sequoia15.3.1 in the SSL negotiation process,

The error on the Global Protect say "The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect."

On the NGFW logs see somes decrypt errors on the traffic and decryptions logs says "sslv3 alert illegal parameter. Received fatal alert IllegalParameter from client" When the Mac-OS Client try to negotiate the SSL connection with TLS 1.3.

When the client uses TLS 1.0 the decrypt error says "Client and decrypt profile version mismatch. Supported client version bitmask: 0x08. Supported decrypt profile version bitmask: 0x60. " as below:

NGFW DECRYPTION ERRORS TLS 1.0 & TLS 1.3

DanielSRomero_0-1740714068271.png

I import the Global Protect certificate on the Mac OS and the issues still there.

I verify the TLS/SSL Service Profile configured to the Global Protect and I see that it only allowed connections from TLS 1.2 and higher, however why the Global Protect SSL connection fail even with TLS 1.3 negotiation? 

NGFW GLOBAL PROTECT SSL/TLS SERVICE PROFILE

DanielSRomero_1-1740714215213.png
I configured a pcap to try to find extra information about the issue, and I see that the TCP 3-way is completed between the NGFW Global Protect and the Client Global Protect App, however some times the mac-os try to negotiate with the TLS 1.0 or TLS 1.3 and the NGFW sends a TCP RST to finish the session.

NGFW GLOBAL PROTECT TLS1.0 NEGOTIATION

DanielSRomero_2-1740714813788.png


FROM NGFW GLOBAL PROTECT TLS1.0 NEGOTIATION ERROR

DanielSRomero_3-1740714853802.png


NGFW GLOBAL PROTECT TLS1.3 NEGOTIATION (AT THE END THE NGFW SENDS A TCP RST TO THE GLOBAL PROTECT CLIENT APP)

DanielSRomero_4-1740714987441.png


Someone else have the same issue and know how to fix it?

I appreciate your time and help,

Best Regards,

 

0 REPLIES 0
  • 185 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!