Password change via GlobalProtect occasionally fails

• GlobalProtect configured with Radius Authentication and  "Allow users to change password after expiry" is enabled (Device > Server Profiles > RADIUS > [profile-name])
• When the password is expired, GlobalProtect App display the password expiry message to change the password.
• When the password change is attempted it fails with the message “Authentication Failed. Enter login credentials”.
• Note: The correct password is entered when attempting the change.

          

• GlobalProtect (GP) App
• supported GP App versions
• Radius authentication configured on Portal
• LDAP authentication configured on Gateway

• This issue is caused by the timeout of the GlobalProtect Agent(GPA).
• PanGPA.log reports timeout messages.

WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=0x2ee2, result=1, dwCertificateError=0
get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR while waitting for header, error=12002, 00600070, ERROR_WINHTTP_TIMEOUT!

1. Change the TCP handshake timeout from default (10 sec) to 60 sec.
2. This can be changed using GUI: Device > Setup > Session > Session Timeouts
3. Click "OK" and Commit the changes.