When logging into a GlobalProtect 11.2 Gateway, GlobalProtect goes into Gateway login loop with a valid authentication cookie

• GlobalProtect clients repeatedly disconnected/reconnected after idle or sleep/hibernate periods.
• Connection refresh or reboot sometimes resolved the issue.

When reviewing PanGPA log, the login lifetime provided by the Gateway is 1

<tunnel>yes</tunnel> <login-time>1748530838</login-time> <lifetime>1</lifetime> <manual>yes</manual> <description>US South</description> <allow-tunnel>yes</allow-tunnel> <passwd-expire-days>0</passwd-expire-days> <pre-vpn-disconnect-error>_</pre-vpn-disconnect-error> <priority>1</priority> <internal>no</internal> <last_hip_sent>05/29/2025 10:00:44</last_hip_sent> <authenticated>yes</authenticated> </entry>

PanGPS log shows the lifetime continuously expiring on each connection

(P27392-T38124)Info (2839): 05/29/25 10:01:08:886 Disconnect(Life time expired

(P27392-T38124)Info (5399): 05/29/25 10:01:24:894 Life time expired, disconnect!

(P27392-T39888)Info (2839): 05/29/25 10:01:32:381 Disconnect(Life time expired

(P27392-T39888)Info (5399): 05/29/25 10:01:48:354 Life time expired, disconnect!

(P27392-T30888)Info (2839): 05/29/25 10:01:55:873 Disconnect(Life time expired

In rasmgr log, login lifetime is confirmed being sent as 1

<portal>GlobalProtect External Gateway-N</portal>\n\t\t<user>user1</user>\n\t\t<quarantine>no</quarantine>\n\t\t<lifetime>1</1ifetime>\n\t\ t<timeout>7200</timeout>\n\t\t<lifetime-notify-prior></lifetime-notify-prior>\n\t\t<lifetime-notify-message>/lifetime-notify-message>\n\t\t<inactivity-notify-prior>0</inact ivity-notify-prior›\n\t\t<inactivity-notify-message>/inactivity-notify-message>\n\t\t<admin-logout-notify-message>/admin-logout-notify-message>\n|t|t

Users Gateway session is shown with negative value

**Product_versions**
• Prisma Access PAN-OS: 11.2.4
• GlobalProtect: 6.2.6, 6.2.8-c223, 6.3.3

This is a change in behavior starting from 11.1 related to how a gateway user session is handled when the login lifetime has expired but the authentication override cookie is still valid. 

The change causes the login lifetime to take precedence over the cookie validity time.

For example, if the login lifetime is 18 hours, but authentication override cookie is 7 days then login lifetime is expected to invalidate the user cookie when TTL reaches 0 and force authentication.

This issue occurs due to mishandling of the cookie invalidation by PanOS

This issue is being fixed as part of PAN-283881

As a short term workaround, the login lifetime may be increased to a value higher than the cookie lifetime.

Refreshing the connection, disconnecting/logging out and reconnecting, or rebooting the system may work in the case where the Portal does not accept cookie and the user was successfully able to logout from Gateway.