Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2476
Views
0
Helpful
2
Replies

Universal Prompt issues with GlobalProtect VPN

jwckauman
Level 1
Level 1

‎12-28-2021 07:55 AM

We are using Duo to protect Palo Alto’s GlobalProtect VPN application and have the application configured in Duo Admin to use both SSO (SAML, Azure AD) and the new Universal Prompt. Out of about 100 clients, five of them have run into issue with the VPN connection process. When the process works, the user opens GlobalProtect, clicks ‘Connect’, approves the Duo Push notification, and sees a succesful VPN connection. When the process fails, it is failing somewhere between the user clicking ‘Connect’ and Duo sending out the push notificiation. Each user has had a slightly different experience when it fails. Here’s what we have observed:

  1. a blank GlobalProtect browser window opens (where we would normally see the Duo Universal Prompt)
  2. a blank GlobalProtect browser window opens AND the user receives a Java script error.
  3. GlobalProtect’s browser window opens and states it cannot connect securely to this page (due to outdated or unsafe TLS security settings).

As a workaround, we have been able to resolve the issue by opening Internet Options, clicking the Advanced tab, and choosing one or more of the following:

  1. Restore Advanced Settings
  2. Restore Advanced Settins & reset Internet Explorer settings without deleting personal settings.
  3. Restore Advanced Settings, reset Internet Explorer settings WITH the delete personal settings checkbox checked.

Any suggestions for troubleshooting this further and determining what is broken? Can we enabling any kind of debug logging with the Duo Universal Prompt or SSO service? so we can see what Duo is seeing (and not liking) on these few machines?

Labels:
0 Helpful
2 Replies 2

jwckauman
Level 1
Level 1

‎01-04-2022 02:26 PM

Surely somebody knows why this fails ??

0 Helpful

Amy2
Level 5
Level 5
In response to jwckauman

‎01-06-2022 02:05 PM

Hi @jwckauman, please accept our apology for the delayed response. Most of Duo was out for a company-wide shutdown during the holidays. I’m not sure what the issue could be based on what you’ve shared here. Your best bet is to contact Duo Support for help with this, and you’ll want to capture and share the HAR logs with them.
Unfortunately, most embedded browsers don’t support HAR log captures. You may be able to capture them from the embedded browser, but you would have to do some research on Palo Alto’s embedded browsers and see if they allow it first. I recommend switching to the default OS browser for a specific machine if possible in order to ensure the HAR logs are captured properly.

Please see our help article here for more info on how to capture these HAR logs for troubleshooting Duo Prompt issues. I hope that helps!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents