GlobalProtect broke after 11.1.13-h5 upgrade
Just wanted to give everyone else a heads up, after upgrading from 11.1.13-h3 to 11.1.13-h5 we were no longer able to connect to globalprotect gateways, it turns out that 11.1.13-h5 enables this setting by default: > show global-protect enable-auth-override-cookie-hmac > > Enable auth override cookie HMAC flag: yes
and if its not enabled every where (all portals and all gateways) it will cause 'cookie decrypt' errors when trying to connect to that gateway.
The fix was simple but annoying, after upgrading login to each firewall and issue the command or upgrade all firewalls at once and have this setting enabled everywhere > set global-protect enable-auth-override-cookie-hmac no
Edit: I checked with TAC based on comments and was told that this should only be used long enough to get everything upgraded, once upgrade the HMAC setting should be turned back on