Palo Alto Networks Knowledgebase: Cannot decrypt cookie for gateway connection

Cannot decrypt cookie for gateway connection

Created On 02/08/19 00:05 AM - Last Updated 02/08/19 00:05 AM
Content Release Deployment


Accepting cookie for authentication override fails and users must enter login credentials on the GlobalProtect gateway. This scenario is valid if you are generating an authentication cookie on the portal and  accepting it on the gateway, so users are not prompted to enter the gateway credentials until the cookie lifetime expires.



System logs


(description contains 'GlobalProtect gateway user authentication failed. Login from: X.X.X.X, Source region:, User name: , Client OS version: Microsoft Windows 7 Enterprise Edition Service Pack 1, 64-bit, Reason: Cannot decrypt cookie, Auth type: cookie.' )

Cookie is  encrypted by the certificate key used on the portal and if we use different certificate on gateway to decrypt the cookie it will fail.


Make sure the same certificate that was used to encrypt the cookie on the portal is used on the gateway to decrypt the cookie file.

  • Print
  • Copy Link

Choose Language