PAN-OS 11.2.6 causes endless authentication issues (#806) · Issues · OpenConnect VPN projects / OpenConnect

PAN-OS 11.2.6 causes endless authentication issues

After supplying the proper creds and challenge response, access is not granted, and instead it continues to ask for creds and challenge. Here is the verbose log: `openconnect --dump-http-traffic -vvv --protocol=gp gp.server.com` ``` POST /global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows HTTP/1.1 Host: gp.server.com User-Agent: PAN GlobalProtect X-Pad: 0000000000000000000000000000000000000000000000000 Content-Type: application/x-www-form-urlencoded Content-Length: 15 cas-support=yes Got HTTP response: HTTP/1.1 200 OK Date: Thu, 10 Jul 2025 09:24:57 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 599 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; HTTP body length: (599) <server-ip>ip.of.gp.server</server-ip><auth-api>no</auth-api><default-browser>no</default-browser><region>US</region><cas-embedded-browser>no</cas-embedded-browser></prelogin-response> Prelogin form _login: "Username: " user(TEXT)=(null), "Password: " passwd(PASSWORD) Enter login credentials Username: user Password: POST https://gp.server.com/global-protect/getconfig.esp POST /global-protect/getconfig.esp HTTP/1.1 Host: gp.server.com User-Agent: PAN GlobalProtect X-Pad: 000000000000000000000000000000000000000000 Content-Type: application/x-www-form-urlencoded Content-Length: 214 jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&internal=no&ipv6-support=yes&clientos=Windows&os-version=win&server=gp.server.com&computer=computer&user=user&passwd=secret Got HTTP response: HTTP/1.1 200 OK Date: Thu, 10 Jul 2025 09:25:40 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 160 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; HTTP body length: (160) <challenge> <user>user</user> <inputstr>686db8500000257e</inputstr> <respmsg>Please enter your passcode (primary: One-Time Password):</respmsg> </challenge> Challenge form _challenge: "Username: " user(HIDDEN)=user, "Challenge: " passwd(PASSWORD), inputStr=686db8500000257e Please enter your passcode (primary: One-Time Password): Challenge: POST https://gp.server.com/global-protect/getconfig.esp POST /global-protect/getconfig.esp HTTP/1.1 Host: gp.server.com User-Agent: PAN GlobalProtect X-Pad: 0000000000000000000000000000 Content-Type: application/x-www-form-urlencoded Content-Length: 228 jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&internal=no&ipv6-support=yes&clientos=Windows&os-version=win&server=gp.server.com&computer=computer&inputStr=686db8500000257e &user=user&passwd=passwd Got HTTP response: HTTP/1.1 200 OK Date: Thu, 10 Jul 2025 09:26:01 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 34343 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; HTTP body length: (34343) <?xml version="1.0" encoding="UTF-8" ?> <policy> <root-ca> removed CA and certs from log </root-ca> <agent-user-override-key>****</agent-user-override-key> <portal-name>GP-PORTAL</portal-name> <portal-config-version>4100</portal-config-version> <version>5.2.5-84</version> <client-role>global-protect-full</client-role> <agent-config> <save-user-credentials>1</save-user-credentials> <portal-2fa>no</portal-2fa> <internal-gateway-2fa>no</internal-gateway-2fa> <auto-discovery-external-gateway-2fa>no</auto-discovery-external-gateway-2fa> <manual-only-gateway-2fa>no</manual-only-gateway-2fa> <disconnect-reasons/> <uninstall>allowed</uninstall> <client-upgrade>manual</client-upgrade> <enable-signout>yes</enable-signout> <allow-extend-session>no</allow-extend-session> <use-sso-pin>no</use-sso-pin> <use-sso-macos>no</use-sso-macos> <logout-remove-sso>yes</logout-remove-sso> <krb-auth-fail-fallback>yes</krb-auth-fail-fallback> <default-browser>no</default-browser> <retry-tunnel>30</retry-tunnel> <retry-timeout>5</retry-timeout> <traffic-enforcement>no</traffic-enforcement> <enforce-globalprotect>no</enforce-globalprotect> <captive-portal-exception-timeout>0</captive-portal-exception-timeout> <captive-portal-using-default-browser>yes</captive-portal-using-default-browser> <captive-portal-login-url/> <traffic-blocking-notification-delay>15</traffic-blocking-notification-delay> <display-traffic-blocking-notification-msg>yes</display-traffic-blocking-notification-msg> <traffic-blocking-notification-msg><div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margi n: 0;font-size: 15px; line-height: 1.2em;">To access the network, you must first connect to GlobalProtect.</p></div></traffic-blocking-notification-msg> <allow-traffic-blocking-notification-dismissal>yes</allow-traffic-blocking-notification-dismissal> <display-captive-portal-detection-msg>no</display-captive-portal-detection-msg> <captive-portal-detection-msg><div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Captive Portal Detected</h1><p style="margin: 0; font-size: 15px; line-height: 1.2em;">GlobalProtect has temporarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.&l t;/p><p style="margin: 0; font-size: 15px; line-height: 1.2em;">If you let the connection time out, open GlobalProtect and click Connect to try again.</p></div></captive-portal-de tection-msg> <captive-portal-notification-delay>5</captive-portal-notification-delay> <certificate-store-lookup>user-and-machine</certificate-store-lookup> <scep-certificate-renewal-period>7</scep-certificate-renewal-period> <ext-key-usage-oid-for-client-cert/> <full-chain-cert-verify>pre-deploy</full-chain-cert-verify> <retain-connection-smartcard-removal>yes</retain-connection-smartcard-removal> <user-accept-terms-before-creating-tunnel>no</user-accept-terms-before-creating-tunnel> <rediscover-network>yes</rediscover-network> <wifi-to-wired-transition>no</wifi-to-wired-transition> <resubmit-host-info>yes</resubmit-host-info> <intelligent-portal>no</intelligent-portal> <can-continue-if-portal-cert-invalid>yes</can-continue-if-portal-cert-invalid> <access-gateway-from-agent-only>no</access-gateway-from-agent-only> <user-switch-tunnel-rename-timeout>0</user-switch-tunnel-rename-timeout> <pre-logon-tunnel-rename-timeout>-1</pre-logon-tunnel-rename-timeout> <preserve-tunnel-upon-user-logoff-timeout>0</preserve-tunnel-upon-user-logoff-timeout> <ipsec-failover-ssl>0</ipsec-failover-ssl> <display-tunnel-fallback-notification>yes</display-tunnel-fallback-notification> <ssl-only-selection>0</ssl-only-selection> <tunnel-mtu>1400</tunnel-mtu> <max-internal-gateway-connection-attempts>0</max-internal-gateway-connection-attempts> <adv-internal-host-detection>no</adv-internal-host-detection> <delays-internal-host-detection>no</delays-internal-host-detection> <portal-timeout>30</portal-timeout> <split-tunnel-option>network-traffic</split-tunnel-option> <split-tunnel-option-mobile>yes</split-tunnel-option-mobile> <advanced-st-public-key>Empty</advanced-st-public-key> <enforce-dns>no</enforce-dns> <append-local-search-domain>no</append-local-search-domain> <flush-dns>no</flush-dns> <agent-proxy-port>9999</agent-proxy-port> <agent-proxy-mode>1</agent-proxy-mode> <auto-proxy-pac/> <proxy-multiple-autodetect>no</proxy-multiple-autodetect> <use-proxy>yes</use-proxy> <enable-hip-remediation>0</enable-hip-remediation> <hip-remediation-retry>0</hip-remediation-retry> <hip-remediation-integrity-check/> <wsc-autodetect>yes</wsc-autodetect> <mfa-enabled>no</mfa-enabled> <mfa-listening-port>4501</mfa-listening-port> <mfa-notification-msg>You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at</mfa-notification-msg> <mfa-prompt-suppress-time>0</mfa-prompt-suppress-time> <ipv6-preferred>yes</ipv6-preferred> <change-password-message/> <measuring-egw-tcp-connection>no</measuring-egw-tcp-connection> <log-gateway>no</log-gateway> <cdl-log>no</cdl-log> <dem-notification>yes</dem-notification> <dem-agent>not-install</dem-agent> <dem-agent-action>no-action</dem-agent-action> <quarantine-add-message>Your security policy has restricted access to the network from this device. If the issue persists, contact your administrator.</quarantine-add-message> <quarantine-remove-message>Your security policy has restored access to the network from this device. If you still cannot access the network, contact your administrator.</quarantine-remove-message> </agent-config> <use-sso>yes</use-sso> <connect-method>user-logon</connect-method> <on-demand>no</on-demand> <gateways> <internal> <list> <entry name="gp.server.com"> <description>GW-Int</description> </entry> </list> </internal> <cutoff-time>0</cutoff-time> <external> <list> <entry name="gp.server.com"> <description>GW-EXT</description> <priority-rule> <entry name="Any"> <priority>3</priority> </entry> </priority-rule> </entry> </list> </external> </gateways> <gateways-v6> <internal> <list> <entry name="GW-Int"> <fqdn>gp.server.com</fqdn> </entry> </list> </internal> <cutoff-time>0</cutoff-time> <external> <list> <entry name="GW-EXT"> <fqdn>gp.server.com</fqdn> <priority-rule> <entry name="Any"> <priority>3</priority> </entry> </priority-rule> </entry> </list> </external> </gateways-v6> <internal-host-detection> <ip-address>192.168.168.168</ip-address> <host>server</host> <ipv6-address/> <ipv6-host/> </internal-host-detection> <refresh-config>yes</refresh-config> <refresh-config-interval>24</refresh-config-interval> <agent-ui> <can-save-password>yes</can-save-password> <passcode-hash>7b05dcba884f424c664342a6cc2fc2a170a9a09e440f9fb1866ff382864b28a6</passcode-hash> <agent-user-override-timeout>0</agent-user-override-timeout> <max-agent-user-overrides>0</max-agent-user-overrides> <welcome-page> <display>yes</display> </welcome-page> <help-page/> <help-page-2/> <agent-user-override>with-comment</agent-user-override> <enable-advanced-view>yes</enable-advanced-view> <enable-do-not-display-this-welcome-page-again>yes</enable-do-not-display-this-welcome-page-again> <can-change-portal>yes</can-change-portal> <show-agent-icon>yes</show-agent-icon> <password-expiry-message/> <init-panel>no</init-panel> <user-input-on-top>no</user-input-on-top> </agent-ui> <hip-collection> <hip-report-interval>3600</hip-report-interval> <max-wait-time>60</max-wait-time> <collect-hip-data>yes</collect-hip-data> <default> <category> <member>host-info</member> <member>data-loss-prevention</member> <member>patch-management</member> <member>firewall</member> <member>anti-malware</member> <member>disk-backup</member> <member>disk-encryption</member> </category> </default> <custom-checks> <mac-os> <plist> <entry name="com.microsoft.intuneMDMAgent"/> <entry name="com.microsoft.CompanyPortalMac"/> </plist> <process-list> <member>ScreenConnect</member> </process-list> </mac-os> <windows> <process-list> <member>ScreenConnect.WindowsClient.exe</member> <member>QualysAgent.exe</member> </process-list> </windows> </custom-checks> </hip-collection> <client-cert> removed certs from log </client-cert> <portal-userauthcookie>empty</portal-userauthcookie> <portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie> <config-digest>96de9ccec9a8cee83233b8641fd3a499</config-digest> </policy> Portal reports GlobalProtect version 5.2.5-84; we will report the same client version. Portal set HIP report interval to 60 minutes). 1 gateway servers available: GW-EXT (gp.server.com) [priority 3] Please select GlobalProtect gateway. GATEWAY: [GW-EXT]:GW-EXT POST https://gp.server.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows POST /ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows HTTP/1.1 Host: gp.server.com User-Agent: PAN GlobalProtect X-Pad: 0000000000000000000000000000000000000000000000000 Content-Type: application/x-www-form-urlencoded Content-Length: 15 cas-support=yes Got HTTP response: HTTP/1.1 200 OK Date: Thu, 10 Jul 2025 09:26:01 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 596 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; HTTP body length: (596) <?xml version="1.0" encoding="UTF-8" ?> <prelogin-response> <status>Success</status> <ccusername></ccusername> <autosubmit>false</autosubmit> <msg></msg> <newmsg></newmsg> <license>yes</license> <authentication-message>Enter login credentials (site: Primary)</authentication-message> <username-label>Username</username-label> <password-label>Password</password-label> <panos-version>2</panos-version> <saml-default-browser>yes</saml-default-browser> <auth-api>no</auth-api><server-ip>ip.of.gp.server</server-ip><region>US</region><cas-embedded-browser>no</cas-embedded-browser></prelogin-response> Prelogin form _login: "Username: " user(HIDDEN)=user, "Password: " passwd(PASSWORD) Enter login credentials (site: Primary) Password: POST https://gp.server.com/ssl-vpn/login.esp POST /ssl-vpn/login.esp HTTP/1.1 Host: gp.server.com User-Agent: PAN GlobalProtect X-Pad: 000000000000000000000000000000000000000000 Content-Type: application/x-www-form-urlencoded Content-Length: 214 jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&internal=no&ipv6-support=yes&clientos=Windows&os-version=win&server=gp.server.com&computer=computer&user=user&passwd=passwd Got HTTP response: HTTP/1.1 200 OK Date: Thu, 10 Jul 2025 09:26:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 203 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; HTTP body length: (203) <html> <head></head> <body> var respStatus = "Challenge"; var respMsg = "Please enter your passcode (primary: One-Time Password):"; thisForm.inputStr.value = "686db85000002586"; </body> </html> Challenge: Please enter your passcode (primary: One-Time Password): Challenge form _challenge: "Username: " user(HIDDEN)=user, "Challenge: " passwd(PASSWORD), inputStr=686db85000002586 Please enter your passcode (primary: One-Time Password): Challenge: ```

issue