Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Unable to access Clientless VPN application with session end reason as "policy-deny"

Unable to access Clientless VPN application with session end reason as "policy-deny"

1946
Created On 10/06/23 16:34 PM - Last Modified 07/12/24 21:01 PM


Symptom


  • Application configured under Clientless VPN fails to launch.
  • Session information displays end reason as "policy-deny"
  • Tracker stage Firewall display "proxy decrypt failure"
c2s flow:
source: X.X.X.X [vpn-remote-access]
dst: X.X.X.X
proto: 6
sport: 23227 dport: 443
state: DISCARD type: FLOW
src user: test1
dst user: 
offload: Yes

s2c flow:
source: X.X.X.X [inside]
dst: X.X.X.X
proto: 6
sport: 443 dport: 23227
state: DISCARD type: FLOW 
src user:
....(OUTPUT OMITTED)
tracker stage firewall : proxy decrypt failure
end-reason : policy-deny
Proxy Info:
Proxy Flow
Index: 4652712, Type: revert, Tag: 104905, Dir: stc
Stopped

  • When dataplane logs are enabled with debug, "unexpected message" and "handshake failed" messages are seen in pan_packet_diag.log (less dpx-log pan_packet_diag.log).

0700 debug: pan_ssl3_decode_record(pan_ssl3.c:980): after decode 12
0700 debug: pan_ssl_proxy_parse_record(pan_ssl_proxy.c:378): decoded record length 4
0700 debug: pan_ssl3_process_handshake_msg(pan_ssl3.c:1151): unexpected message client hs_type 0 
-0700 Error: pan_ssl_proxy_handle_rt_hs(pan_ssl_proxy.c:233): pan_ssl3_process_handshake_msg() failed -1
-0700 Error: pan_ssl_proxy_parse_data(pan_ssl_proxy.c:621): pan_ssl_parse_record() failed
X.X.X.X[23227]-->X.X.X.X[443]
-0700 pan_proxy_handle_error(pan_proxy.c:2448): handle error -1
2023-09-29 11:09:23.242 -0700 debug: pan_proxy_ssl_check_block_error(pan_proxy.c:2431): In session(104905), encounters error_id(-1 PAN_SSL_ERROR_GENERAL), action: skip
-0700 debug: pan_proxy_ssl_proc_data(pan_proxy_ssl.c:1396): pan_ssl_proxy_parse_data() failed -1, not block


Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Clientless VPN Portal

Cause


  • Application server triggers an SSL renegotiation.
  • This causes the session to be terminated by the Firewall because SSL renegotiation is not supported.

Resolution


  1. The issue is fixed under PAN-229069  and is fixed in 10.2.8, 11.0.4, 11.1.3.
  2. Upgrade to the above version or higher will resolve the issue.
  3. As a workaround, Disable SSL renegotiation on the Application Server (if possible).

Additional Information


12 July 24 (Vijay) - Article reviewed with Prathyusha and published external.
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 239,733
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g2LxCAI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail