Universal Prompt issues with GlobalProtect VPN

We are using Duo to protect Palo Alto’s GlobalProtect VPN application and have the application configured in Duo Admin to use both SSO (SAML, Azure AD) and the new Universal Prompt. Out of about 100 clients, five of them have run into issue with the VPN connection process. When the process works, the user opens GlobalProtect, clicks ‘Connect’, approves the Duo Push notification, and sees a succesful VPN connection. When the process fails, it is failing somewhere between the user clicking ‘Connect’ and Duo sending out the push notificiation. Each user has had a slightly different experience when it fails. Here’s what we have observed:

  1. a blank GlobalProtect browser window opens (where we would normally see the Duo Universal Prompt)
  2. a blank GlobalProtect browser window opens AND the user receives a Java script error.
  3. GlobalProtect’s browser window opens and states it cannot connect securely to this page (due to outdated or unsafe TLS security settings).

As a workaround, we have been able to resolve the issue by opening Internet Options, clicking the Advanced tab, and choosing one or more of the following:

  1. Restore Advanced Settings
  2. Restore Advanced Settins & reset Internet Explorer settings without deleting personal settings.
  3. Restore Advanced Settings, reset Internet Explorer settings WITH the delete personal settings checkbox checked.

Any suggestions for troubleshooting this further and determining what is broken? Can we enabling any kind of debug logging with the Duo Universal Prompt or SSO service? so we can see what Duo is seeing (and not liking) on these few machines?

Surely somebody knows why this fails ??

Hi @jwckauman, please accept our apology for the delayed response. Most of Duo was out for a company-wide shutdown during the holidays. I’m not sure what the issue could be based on what you’ve shared here. Your best bet is to contact Duo Support for help with this, and you’ll want to capture and share the HAR logs with them.
Unfortunately, most embedded browsers don’t support HAR log captures. You may be able to capture them from the embedded browser, but you would have to do some research on Palo Alto’s embedded browsers and see if they allow it first. I recommend switching to the default OS browser for a specific machine if possible in order to ensure the HAR logs are captured properly.

Please see our help article here for more info on how to capture these HAR logs for troubleshooting Duo Prompt issues. I hope that helps!