PAN-OS 10.2.6 GlobalProtect SAML issues

We upgraded our firewalls hosting GlobalProtect portal and gateways to PAN-OS 10.2.6.

We’re now having issues with authenticating users via SAML.

SAML piece works ok (SAML provider logs show success). The issue appears to be when the SAML redirects client back to portal address to complete login we get errors saying the portal/gateway is unavailable or not responding in time (packet captures show lots of retransmits to the portal).

If we repeat connect multiple times it eventually completes the authentication.

Has anyone had similar issues?

(We have a ticket logged with our support company, still going through all the support desk hoops).

Yes. It’s a bug. Should be fixed in 10.2.7. The workaround is to go to Device - Setup - Session and change the TCP handshake session timeout to 60.

Interesting, I saw a snip about this in another post so I only upgraded the hardware in 1 city to verify SAML functionality and it seem to be working fine for us.

10.2.6 PA-850’s

SAML AZURE AD and MS Authenticator 2FA

Will be doing PA-3410’s in another city this weekend. Hope it continues to work however if not I will implement the work around. Thanks for the all of the posts!

Welcome to the club! We upgraded Sunday night to 10.2.6 and rolled back Monday night.

Got a new 1410 running 11.0.2 with the same issue. As someone said TCP timeout 60 also resolved the issue.

Hi Everyone

I have a question I hope I can get an answer from you Gents

Does this issue happen to you while clients where using Clientless VPN ?

Hi! I think we have same issue. PreLogin works when we then try to MFA authenticate against MS we got “cant reach this page”. Then after we try reconnect multiple times it finally works. PanOS 11.0.3 GP 6.2.2 Best Regards

Hi,

I can confirm the same issue on VM-100 PAN OS 10.2.6.

I have this issue on 11.0.2. The TCP handshake value fixed it PA 3410 GP 5.2.12

Hit this same bug. Received the same work around instructions and fixed release from support too.

Awesome! Just what I suspected.

Will give the workaround a go.

Thanks.

Do you happen to have a bug id I can pass on to our support company?

Is anyone able to confirm if is fixed in 10.2.7 ? I dont see the Bug ID addressed according to release notes, but I also dont see it as a known issue…

Hey, I’m having the same issue that you mentioned in this comment a couple months.

I’m just an end user. I use the VPN client on the laptop to connect to my customer’s network. I don’t manager their VPN, i just use it. am I right in thinking that the fix you’ve describe needs to be apply by the people who manage the VPN? It not something i do on my laptop, is it?

VE 11.0.2-h1 also affected and PA-1410.There was no information that this bug affects that versions.Workaround is a bit strange for me. I’ve catched that session in Wireshark and TCP Handshake established properly, then SSL Negotiation but after about 40-50 sec the client send data to GP gateway/portal and this step fails.I don’t understand how increasing timeuts help however it looks lik it help.

[edit]

10.2.7h3 on PA450 still have this issue.

Update:

So this bug doesn’t seem to affect PA-850 but definitely affects PA-3410. I tested a week prior to the cut on the PA-850 without issue and upgraded the PA-3410 this past weekend and boom, there is the bug!

Rollback isn’t an option at the moment. We have considered it.

Cool thanks. Good to know it’s not just me!

Sorry, I don’t use Clientless VPN so can’t help.

Yeah, it’s quite annoying. Fixed in 10.2.7. you can either upgrade or change http handshake timeout (I system settings) to 60 seconds