Hello all, hope someone can help us with this issue. We’ve been using SAML authentication for GlobalProtect through Azure without any issues. Recently users have started reporting that when they hit Connect on GP, they get the error "Can’t reach this page <“Portal Address”>. When they try to connect a second time it goes through. One the PA side I see the connection coming through but nothing else. This issue started with a few users but now almost everyone in the organization is eexperiencing it.
I’ve seen issues with windows clients preferring IPv6 for the connection to azure for authentication and being unable to connect to the authentication portal - likely because of an issue with IPv6 with their ISP. We had to make sure all our windows endpoints prefer IPv4 and haven’t really seen the issue crop up since.
Ask the user to export the GP logs. Its in the GP client settings area. It downloads a ZIP. Look for the date and time stamp and see the reason why it could not connect. It may be helpful to scroll through yourself. As your web page loaded, this page to me usually sounds like DNS. I assume you did check it was resolving correctly. Did you check it was routable correctly between the client and gateway/portal? You dont have geo restrictions in place on your policy? Did you check the firewall logs to ensure its not seen as a threat and being dropped. You dont have asymmetric routing or maybe return traffic is an issue? Look at the firewall session end reason, what does it say? Did the client end the session, did the session not start, did the server end the session? Some ideas to help you but wishing you all the best in your adventures. Goodluck!
It might be the know issue with 11.0.x where you have to authenticated in 20 seconds. There is a workaround. If I remember correctly you have to increase the tcp handshake timeout under device - setup - sessions.
Using Azure? Works on the initial MFA prompt. Subsequent no. Leads me to believe that it is an issue with MS no longer supporting office for Internet Explorer. Try reloading login.microsoftonline in ie mode. Dead end
Have you tried a different GP app version? Pull down the 6.2.2 from support and install on a handful of affected machines. Have seen this issue before with one of my customers
We had a similar problem 6 months ago.
Suggestion:
Change the “IPv6 Preferred” setting in Network | Portals | | Agent | | App from Yes to No.
Worked for us.
We recently start to see a similar message intermittently. We use Azure SAML and the embedded browser on 10.1.11-h5. With the help here we tried adjusting TCP timeouts, preferring IPv4 on GP and OS level, etc and none work. Using the default browser did help and eliminated the intermittent problem - thanks everyone for the info.
In our case support ask to try to make sure TLS 1.3 and SSL3 is unchecked under control panel > internet options > advanced - this also worked for us. So we can continue to use the embedded browser it looks like by disabling TLS 1.3. I’m not sure if this is a good idea or what other impact it may have to other sites going forward. We are still probing support for further info and will continue to test in the next few days.
Does this make sense to anybody? Is this because of the on-going changes related to TLS 1.3 within Microsoft - this is my guess but im no expert by any means. is this a problem in Microsoft? On the PA level? Is the embedded browser still a viable option? Maybe just take the plunge and support the system browser going forward?
I’m interested to see for those that are still looking for something to try with the embedded browser- disable TLS 1.3 and SSL3 support under internet options > advanced - any change in your end?
Hello ! Do you still have the inssue ? I have a similar issue with a FW in 10.2.4 (SAML, 2 Prompts even though cookies are well set up and second one a white screen + timeout) and would like to know if you found an answer
In order for IE mode to work properly, authentication / Single Sign-On (SSO) servers will need to be explicitly configured as neutral sites. Otherwise, IE mode pages will try to redirect to Microsoft Edge, and authentication will fail.
