Palo Alto Networks Knowledgebase: Cannot decrypt cookie for gateway connection

Cannot decrypt cookie for gateway connection

2886
Created On 02/08/19 00:05 AM - Last Updated 02/08/19 00:05 AM
Content Release Deployment
Symptom

Symptoms

Accepting cookie for authentication override fails and users must enter login credentials on the GlobalProtect gateway. This scenario is valid if you are generating an authentication cookie on the portal and  accepting it on the gateway, so users are not prompted to enter the gateway credentials until the cookie lifetime expires.

 

Diagnosis

System logs

+++++++++

(description contains 'GlobalProtect gateway user authentication failed. Login from: X.X.X.X, Source region: 192.168.0.0-192.168.255.255, User name: , Client OS version: Microsoft Windows 7 Enterprise Edition Service Pack 1, 64-bit, Reason: Cannot decrypt cookie, Auth type: cookie.' )

Cookie is  encrypted by the certificate key used on the portal and if we use different certificate on gateway to decrypt the cookie it will fail.



Resolution

Make sure the same certificate that was used to encrypt the cookie on the portal is used on the gateway to decrypt the cookie file.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk8CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language