GlobalProtect Portal Fails to Generate Cookie
20676
Created On 06/07/19 12:29 PM - Last Modified 05/14/20 19:13 PM
Symptom
- GlobalProtect users are requested to authenticate twice; once for the Portal and once for the Gateway, even though the Portal and the Gateway are configured with the options below:
Generate cookie for authentication override
Accept cookie for authentication override
Accept cookie for authentication override
- System logs show the error message below:
2019/05/09 10:22:58 info globalp globalp 0 GlobalProtect portal generate cookie failed. Login from: <IP-Address>, User name: <domain\username>.
- Debug level logs in appweb3-sslvpn.log file show the error message below:
2019-05-31 15:13:15.598 +0100 debug: pan_gp_rsa_gen_app_auth_cookie(pan_gp_cfg.c:2357): missing encrypt key, cookie buffer, user or host id 2019-05-31 15:13:15.598 +0100 debug: pan_generate_portal_user_auth_cookie(panPhpGlobalProtect.c:1364): pan_global_protect_authcookie() failed
Environment
PanOS 8.0.x and below
Cause
The issue is caused by the username format entered; "domain\username".
Resolution
In PanOS 8.1.x, there has been enhancements to allow other ID formats, including "domain\username".
Otherwise, the workaround is either to remove the domain in the Authentication Profile, or enforce users to input the "username" only, not "domain\username".
Additional Information
- To enable debug level logging for "sslvpn" you may run the following command on CLI:
> debug sslvpn global on debug
- To disable debug level logging for "sslvpn" you need to run the following command:
> debug sslvpn global on info
- To check the content of appweb3-sslvpn.log file you need to use "less" editor by running the command below:
> less mp-log appweb3-sslvpn.log