Hello team,
I have an issue with the Global Protect 6.2.7 app running on an Apple Mac OS X Sequoia15.3.1 in the SSL negotiation process,
The error on the Global Protect say "The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect."
On the NGFW logs see somes decrypt errors on the traffic and decryptions logs says "sslv3 alert illegal parameter. Received fatal alert IllegalParameter from client" When the Mac-OS Client try to negotiate the SSL connection with TLS 1.3.
When the client uses TLS 1.0 the decrypt error says "Client and decrypt profile version mismatch. Supported client version bitmask: 0x08. Supported decrypt profile version bitmask: 0x60. " as below:
NGFW DECRYPTION ERRORS TLS 1.0 & TLS 1.3
I import the Global Protect certificate on the Mac OS and the issues still there.
I verify the TLS/SSL Service Profile configured to the Global Protect and I see that it only allowed connections from TLS 1.2 and higher, however why the Global Protect SSL connection fail even with TLS 1.3 negotiation?
NGFW GLOBAL PROTECT SSL/TLS SERVICE PROFILE
I configured a pcap to try to find extra information about the issue, and I see that the TCP 3-way is completed between the NGFW Global Protect and the Client Global Protect App, however some times the mac-os try to negotiate with the TLS 1.0 or TLS 1.3 and the NGFW sends a TCP RST to finish the session.
NGFW GLOBAL PROTECT TLS1.0 NEGOTIATION
FROM NGFW GLOBAL PROTECT TLS1.0 NEGOTIATION ERROR
NGFW GLOBAL PROTECT TLS1.3 NEGOTIATION (AT THE END THE NGFW SENDS A TCP RST TO THE GLOBAL PROTECT CLIENT APP)
Someone else have the same issue and know how to fix it?
I appreciate your time and help,
Best Regards,
