I have been having an issue over 2022 in that some users when logging on remotely via Prisma cant connect. I have tracked it down and it seems to be a fairly new windows widget in windows10 where a weather and location widget loads.
To get around it i had to create a prelogon rule to allow access to external internet services, the logon works as expected. We think we have narrowed it down to the following urls -
It looks like the windows 10 build tries to connect to these resources before the full tunnel is built.
Just curious but has anyone else seen this issue and know why this widget would cause the pre-tunnel to fail
I would suggest to open a TAC case to check the PanGPS logs on the global protect to see why the connection fails. Even when the windows needs to connect to these URL's, it should not stop GP from connecting. Unless for some reason, the OS or any other app is blocking the PanGPS process from connecting in first place.
Also you may try "Before Logon" to see if there is the same issue https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-rele... . Also what is your version of the globalprotect agent as better be on the latest to know that is not an issue that is solved.
Hello, I opened a TAC case with Palo but am not getting any results. They say based on your findings, the PanGPS/PanPGS process are not the cause of the crash rather they are the victims of the crash. They have asked me to perform Windows level investigations first as this issue behaviour include Windows taskbar freeze, WiFi modifications but this does not help me resolve why the Prisma clients cannot connect remotely. If i turn off Global Protect on the users laptop they can connect no problem to the Corporate Network. Its only over Prisma the user has a problem connecting
any advice is welcome
Its happening for alot of Prisma users on different clients from 5.2.4 up to 5.2.10 so i know its not the client software
Not all users are affected but the ones that are affected can get around the issue by disabling their wifi to disrupt the Pre-logon tunnel and then turn their wifi back on and it reconnects to the domain via Prisma. Its very frustrating and i would just like to know why this is happening. Is it something that has been pushed out on windows 10 or is it a problem with Pre-logon
any advice is welcome
That is true and this has been working ok for two years but now random users are having a logon issue. Is as if their laptop is trying to talk to the internet when the pre-tunnel is loading. I think i have tracked it down to the following sites and i now have a rule at the top of the policy for pre-logon to hit these websites. Then it disconnects and reconnects the user from Prisma to our domain. It seems to work ok for now but why does the windows 10 laptop need access to these websites. Does that not defeat the purpose of pre-tunnel which should only talk to our domain controllers before disconnecting and then reconnecting to log the user in
If there are crashes for the process than that needs to be isolated to identify what is causing those. You can may be ask for more details from TAC on why the process is crashing and also involve local IT team or microsoft as applicable to identify what process is causing the crash. Another good way to isolate is to take a test machine and remove all other 3rd party softwares from there except GP and check if the issue persists.
Hi, Yes i have a test laptop which is windows 10 version 21-H2. All other software is removed and the issue still exists. When i boot up and pre-tunnel starts the taskbar hangs and that new widget in windows (the one with msn, location, weather and some news feeds, etc) - it fails to load and therefore the user cant connect as the pre-tunnel fails.
Laptops with version 1809 and 1909 do not have the issue because they do not have this windows feature
I am curious why this widget is impacting pre-tunnel because pre-tunnel is supposed to talk to our firewall active directory sites only.
any advice is welcome
You may check if enforce globalprotect for network access is enabled:
Also check if changing between Pre-logon (Always On) or Pre-logon then On-demand helps. Also check if playing with
I have spoken to Microsoft and taken logs off an affected laptop.
It turns out this is the problematic URL - autologon.microsoftazuread-sso.com
If i whitelist this URL then pre-tunnel is unaffected but if i dont a lot of users are getting an issue where their taskbar hangs and they cant login to global protect until they disconnect their wifi and turn it back on. It must be because the laptops are trying to login to Azure even though our laptops are not Azure joined - they are only Azure registered.
has anyone else seen this before and does anyone know why this would affect the pre-tunnel if not whitelisted
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!