Known Issues

The following table describes the open issues with workarounds where applicable.

Problem Report Description

Release 22.6R1.2

PZT-42473

Symptom: Enrollment fails from browser and will give error "SAP is not configured for /login /login/enroll" when device policy is enforced on the user sign-in policy and the same device policy is modified.

Workaround: Navigate to Secure Access->Manage Users->User Policies and need to edit/save the user policy on which device policy is mapped post changing the device policy.

PZT-42710

Symptom: If a user group has a SAML attribute user rule mapped to it, changing SAML auth to local auth in the user policy should alert with a warning.

Workaround: Remove user rule which has SAML attribute before changing user authentication server from SAML auth to local authentication server.

PZT-42722

Symptom: MDM device rule should not be added to the device policy which is enforced on the Admin sign-in URL under User Policies.

Workaround: NA

PZT-42721

Symptom: Analytics dashboard shows the MDM device attribute failure if there is a hybrid device policy(Location, HC, MDM) enforced on Secure Access Policy wherein the non-compliance is actually due to HC/Location failures.

Workaround: NA

PIOS-6533

Symptom: Re-authentication using login to Ivanti Secure Access is not working.

Workaround: Click on 'connect' button manually.

Release 22.6R1

PZT-42203

Symptom: While editing an existing FQDN app policy with App Discovery enabled to a URL based policy, App Discovery checkbox gets greyed out and not editable.

Workaround:

Uncheck the App discovery first and then edit the application URL.

Convert wildcard to URL.

PZT-41958

Symptom : ZTA Gateway shows upgrade failed and shows a different version on the Secure Access Gateways dashboard when upgraded to latest version but the console of the gateway is successfully upgraded.

Workaround : None. End to end use case when connecting to the gateway is not impacted as the gateway is already upgraded to the latest version.

PZT-41797

Symptom: Upgrade/Downgrade of ESAP might cause bad config state, if configured product not present in old release.

Workaround: If new product is configured with new ESAP version and downgraded to older version where that product is not available. Admin has to manually delete that product to get back the tenant in normal state. For example, when upgrading from ESAP 4.1.6 to ESAP 4.2.6, admin has to manually remove the vendor name "Broadcom" and product name "Symantec Endpoint Protection (0.0.x)" from the configured AV/AS/Firewall device policies.

PZT-41821

Symptom: Gateway UI will not validate IP address /subnet and subnet GW info while creating ZTA Gateway under Manage Gateways.

Workaround: Admin has to provide the correct interface IP/subnet and subnet default Gateway info while configuring ZTA Gateway.

PZT-41719

Symptom: UEBA Threat data for the user in the ZTA analytics dashboards as compared to the UEBA Threat report is different for the same timestamp.

Workaround: NA

PZT-41837

Symptom: UEBA Threat score and UEBA Threat rank is not showing accurate for the users in active and historic view on the Analytics dashboards in case of simultaneous (ICS + ZTA) scenario.

Workaround: NA

Release 22.5R1.2

PZT-41401

Symptom: Error 401 un-authorized when trying to login to the tenant with any of the pre-canned role like read-only, cxo and net admin if there are no gateways registered in the controller.

Workaround: Register ZTA gateway in the tenant controller and login.

PZT-41264

Symptom: Page not found when trying to login with the pre-canned Network admin role configured under System >Admin Roles

Workaround : Create a custom admin role with only permissions to view the Manage Gateways dashboard which serves the purpose of the Network admin role.

PZT-41319

Symptom: After a fresh installation of the client, it closes unexpectedly.

Condition: Manual or browser installation of the client.

Workaround: Open the client from the system tray.

Release 22.5R1

PZT-40857

Symptom : Non-compliance policy failure reason is empty on the drill down log view dashboard when non-compliance is reported while accessing RDP/Ipv4 application type.

Workaround : NA

PZT-40739

Symptom: Non-compliance policy failure reason on L4 (drill down) log dashboard states all the strings related to host check (HC) failures instead of a specific string, which caused the failure for that specific application access.

Workaround: NA

PZT-37613

Symptom: The timestamp displayed under the cards in the User Info panel on Landing page is incorrect in the historic view.

Workaround: NA

PZT-39046

Symptom: End user logins will be blocked and admin login shows 401 error when AAA journal version is in bad state once a new ESAP version is activated under Administration> Installers > ESAP.

Workaround: Edit the already configured Device Policy and remove the unsupported products from it and add the supported products. This applies for all the OPSWAT based device policies (Antivirus, Firewall, Patch, Antispyware) irrespective whether these device policies are enforced on a specific Secure Access Policy.

PZT-40518

Symptom: Endpoint connection to the controller will fail and show the status as 'Failed' when Rule requirement > custom expression is configured under Secure Access > Manage Devices > Device Policies due to AAA journal version failure.

Workaround: Edit the device policy with custom expression and save again so AAA journal version will recover.

Release 22.4R3

PZT-38904

Symptom : Tenant admin UI will be logged out frequently with 401 error and end user connections will be blocked due to incorrect cache in AAA.

Workaround : Find the XML import failure log in Insight > Admin logs and remove the unsupported product version from the device rule and save it.

PZT-39870

Symptom: Multiple SAP policies with having Device policy configured with AV rule results in incorrect cache on AAA.

Workaround: NA

Release 22.4R1

PZT-39050

Symptom: Intermittently it is observed inconsistency in historic view data in analytics dashboards

Workaround: NA

PZT-38904

Symptom :  GCP gateway is not in the connected state after reboot. Using the GCP VM control options (Reset and Stop/Start)

Workaround: Post deploying the gateway instance in GCP after the successful registration of gateway to the controller, reboot from serial console of the instance once to avoid the issue. Also we dont recommend to use hard reset to reboot the cloud gateways.

PZT-39351

Symptom : Application details with Kerberos/LDAP/NTP or unknown port numbers not detecting while creating Secure Access Policy when migrating from ICS to ZTA.

Workaround : Admin need to modify the application details manually by adding the relevant port number at the end of FQDN/IP. For example in case of LDAP, ldap://<FQDN> need to be changed to <FQDN>:389 and for Kerberos, kerberos://<IP> need to be changed to <IP>:88

PZT-29634

Symptoms: Ivanti client is not able to connect to the gateway and fails with error 1147 - Invalid client certificate during upgrade/rollback of a standalone or gateway group

Workaround: If it is a standalone gateway, then the gateway need to be added to a gateway group and removed back to perform certificate renewal and reboot the gateway. If a gateway is already a part of gateway group, then it needs to be removed and added back to the gateway group.

PZT-38904

Symptom :  GCP gateway is not in the connected state after reboot using the GCP VM control options (Reset and Stop/Start)

Workaround : Post deploying the gateway instance in GCP after the successful registration of gateway to the controller, reboot from serial console of the instance once to avoid the issue. Also we dont recommend to use hard reset to reboot the cloud gateways.

PZT-39046

Symptom: End user logins will be blocked and admin login will show 401 error when AAA journal version is in bad state once a new ESAP version is activated under Administration > Installers > ESAP.

Workaround: Edit the already configured Device Policy and remove the unsupported products from it and add the supported products. This applies to all the OPSWAT based device policies (AntiVirus, Firewall, Patch, AntiSpyware) irrespective whether these device policies are enforced on a specific Secure Access Policy.

PZT-39002

Symptom: At end of every end UEBA Threat Score is recalculated and there could be a change in the Threat Score

Workaround: NA

PZT-38858

Symptom: After upgrading MOD AAA  to latest build, assigned roles are missing in cache and  admin login might fail.

Workaround: After upgrading edit admin groups and then save.

PZT-38995

Symptom : Enrollment/Auth is blocked when connection is made from an endpoint which does not have the source_IP listed in allow/block criteria in the Network device policy which is enforced on User policy.

Workaround : Create Network Device policy to allow the source_IP/s instead of denying as the default action is to deny.

PZT-38975

Symptom : 500 error intermittently seen on the dashboard when un-enrolling clients from 'Manage Devices' and new device enrollment will fail on the endpoint due to connectivity issue between the client service and redis.

Workaround : Restart client service on the controller.

PZT-38722

Symptom: Non-compliance count mismatch on the analytics dashboards in the summary strip and non-compliance info panel in historic view when non-compliances are reported in the same hour from the same user.

Workaround: NA.

PZT-38718

Symptom:CARTA check failing on MAC OSX for the predefined and custom device policies.

WorkAround: Disconnect and connect again to re-evaluate the compliance and perform remediation accordingly.

PZT-38717

Symptom: Firewall device policy not evaluated on the endpoint when default Microsoft product is configured while having 'Rule options' and rule monitoring on.

Workaround: NA

PZT-38690

Symptom: If previously selected Client package version is not present after upgrade, latest version will be set to default with auto upgrade enabled.

Workaround: Select the required client version if the admin don't want to use latest client version after upgrade.

PZT-38619

Symptom: RiskSense Notify device policy blocks enrollment via web browser when applied on the Enrollment User sign policy.

Workaround: Device policy should be configured with multiple device rules apart from RiskSense notify policy OR Connect to ZTA connection profile directly from Ivanti client already installed on the endpoint.

PZT-38618

Symptom: UI misaligned when host checker policy fails in the web browser and 'Try Again' button is clicked on Windows endpoint

Workaround: NA

PZT-38599

Symptom: Device policy enforced on the sign-in policy does not get updated when any device rule is modified to that corresponding device policy.

Workaround: Navigate to Secure Access->Manage Users->User Policies and EDIT the User policy where the device policy is enforced and 'Update User policy'.

PZT-38502

Symptom: Non-compliance card shown on Analytics dashboard for applications having device policy enforced which is configured for one Operating System and the non-compliance is reported on another Operating System.

Workaround: NA

PZT-38501

Symptom: SAML user with error "invalid assertion" received on the endpoint frequently in the CEF browser when connecting to ZTA.

Workaround: Click on 'Sign-in' and re-try on getting the error dialog with "invalid assertion".

PZT-38428

Symptom: Location Device rule does not save properly when denying access from a specific city but allowing access from the same country.

Workaround:Delete the location rule and add a new one.

PZT-38327

Symptom: No error string or instruction displayed on the Ivanti client when Network/Location/RiskSense policy is enforced on User Enrollment/Authentication Sign in URL and the compliance fails on the endpoint due to any of these device policies.

Workaround: Navigate to Insight->Logs->Access logs to view the compliance logs for admin. NA for the end user.

PZT-38315

Symptom: ZTA gateway console may show Register as one of the option in the menu, even though the Gateway is already registered.

Condition: Sometimes with Cloud it is taking a while for the registration process to get completed. Hence when the console options are displayed after registration process is triggered , the register option is still present in the console menu.

Workaround: Pressing enter key after few secs the register option won't be present in the gateway console menu.

PZT-38265

Symptom: Controller UI should show error while creating Gateway Group if one of the Gateway in the Gateway Group is mapped with a known network tag in Gateway Selector configuration.

Workaround:NA

PZT-38256

Symptom: Session Migration from one network to another still shows the session with the older source IP under Insights->Users-> Active Sessions.

Workaround: NA

PZT-37981

Symptom: Time Of Day Device policy cannot be enforced while creating Secure Access Policy when gateway selectors are used.

Workaround: Use standalone gateways or gateway groups instead of gateway selectors.

PZT-37841

Symptom: Report format CSV/JSON has the epoch timestamp instead of human readable.

Workaround : NA

PZT-37765

Symptom : Authentication URL gives error as 'SAP is not configured' when trying to open from browser

Workaround : Navigate to Secure Access->Manage Users->User Groups. Edit the user group and save it again.

PZT-37613

SymptomThe timestamp displayed under the cards in the User Info panel on Landing page is incorrect in the historic view.

Workaround: NA

PZT-36884

Symptom: Sankey chart does not show the exact path for application being accessed with respect to user group.

Workaround: NA

PZT-36623

Symptom: Allowed domains added under any configured application shows IP address instead of the application name when accessed on analytics dashboards.

Workaround: NA

PZT-36050

Symptom: Sign in button is visible for the end user even when the UEBA score has crossed the threshold and user is denied login.

Workaround: NA

PZT-29634

Symptom: Ivanti client will not be able to connect to the gateway and fails with error 1147 - Invalid client certificate.

Workaround: Remove gateway from the gateway group and then add it back.

PZT-27457

Symptom: Policy failure dashboard shows compliance and network rule failures when any one of the rule is passing on the client machine having a common policy enforced which comprises of network and compliance rules together.

Workaround: NA

Release 22.3R4

PZT-31655

Symptom: MFA Support : signing in an older version client through a MFA device policy with TOTP enabled causes a loading components page or loop after TOTP registration in the end-user portal.

Workaround: TOTP is supported for client versions applicable to the 22.2R1 release only. Make sure your client software is up-to-date.

PZT-35144

Symptom: Admin rules cannot be deleted when attached to an admin group.

Workaround: Select only rules that are not associated with any admin groups for deletion.

PZT-35194

Symptom: Applications page lacks row level actions.

Workaround: Scroll to top after selection to edit/delete.

PZT-36050

Symptom: Sign in button is visible for the end user even when the UEBA  score has crossed the threshold and user is denied login.

Workaround: N/A

PZT-36753

Symptom: Subscription page gateway filters don't work under some conditions.

Workaround: None

PZT-36884

Symptom: Sankey chart does not show the exact path for application being accessed with respect to  user group.

Workaround: N/A

PZT-37424

Symptom: When ICS and ZTA components already installed on the endpoint, auth re-directs to default login URL instead of custom SAML auth URL when trying to enroll with multi sign-in URL.

Workaround: Deep clean endpoint with all client components and do fresh installation.

PZT-37536

Symptom: Non-compliance cards not seen on the Analytics Dashboards for Application types - SSH, Telnet, RDP and IPv4.

Workaround: N/A

PZT-37765

Symptom: Authentication URL gives error as 'SAP is not configured' when trying to open from browser.

Workaround: Navigate to Secure Access > Manage Users > User Groups. Edit the user group and save it again.

PZT-37803

Symptom: The page appears broken when visiting Gateway Logs in Chrome browser.

Workaround: Please follow these steps in your Chrome browser:

  1. Go to chrome://settings/system.
  2. Enable hardware acceleration by clicking on the "Use hardware acceleration when available" switch.
  3. Relaunch the browser.

PZT-37841

Symptom: Report format CSV/JSON has the epoch timestamp instead of human readable.

Workaround: N/A

PZT-37912

Symptom: Auth Failure messages with the username as SYSTEM are observed in the Top Auth Failures chart on L2 All Users Dashboard when authentication method is SAML and the user has crossed the UEBA threat score threshold configured as a part of Actionable Insights.

Workaround: N/A

PZT-37966

Symptom: When IP resource is added with FQDN sub-domain, FQDN sub-domain is not sent for the client.

Workaround: Add FQDN as main resource and add IP as sub-domains.

PZT-37981

Symptom: Time Of Day Device policy cannot be enforced while creating Secure Access Policy when gateway selectors are used.

Workaround: Use standalone gateways or gateway groups instead of gateway selectors.

PZT-38101

Symptom: If 22.2R1 or below version of gateways are present & OGS feature is configured, older gateways may not go to ready state.

Workaround: Upgrade gateways to 22.3R1 and above to use OGS feature.

PZT-38173

Symptom: User name with %40 is shown in Tenant access log when SAML-based authentication and device policy are enabled at Secure Access Policy (SAP).

Workaround: N/A

Release 22.3R3

PZT-6921

Symptom: After un-enrollment of profile, the VPN connection should be disconnected instantly and the profile should be removed from .

Workaround: Open and move between the screens. A pop-up message should appear warning that the certificate is revoked. The profile is removed automatically.

PZT-7581

Symptom: VOD: is not notifying the end user when Notification is turned off.

Workaround: Enable Notification for the in iOS Device settings.

PZT-8610

Symptom: Simultaneous connections: After switching to a new user, shows the enrollment details.

Workaround: N/A

PZT-8740

Symptom: OS check for Android is failing while updating the policy dynamically.

Workaround: None

PZT-8866

Symptom: Dynamic policy update is not working when the same iOS OS device policy is updated for deny and allow access.

Workaround: None

PZT-9926

Symptom: ESAP Upgrade for sometimes does not work when classic VPN and connections use different ESAP versions.

Workaround: Make sure classic VPN and connections use the same ESAP version.

PZT-9979

Symptom: Captive portal detection is not working with connection.

Workaround: Open a browser window. The user should then be re-directed to the Captive portal for Guest authentication.

PZT-10287

Symptom: Resource access is not going over when chrome is enabled with Secure DNS feature.

Workaround: Disable the Secure DNS option on chrome settings or use the DNS server which supports 443. https://en.wikipedia.org/wiki/Public_recursive_name_server

PZT-10340

Symptom: [Windows] Simultaneous connections: With the bng-vpn and (corporate) connections both active, Microsoft Outlook is not reachable.

Workaround: N/A

PZT-10600

Symptom: [Windows] nslookup with non- FQDNs is always forwarded to the DNS server.

Workaround: N/A

PZT-10946

Symptom: 9.2.0 On-Demand : will be triggered only when the per-app application is being used to access the resources.

Workaround: N/A (Use Classic Per-app VPN applications to access the resources to get connect with ).

PZT-10971

Symptom: 9.2.0 Transition : Update MDM profile and push disconnects the connection.

Workaround: N/A (MDM always set its latest update configuration as default and it is limitation).

PZT-12681

Symptom: for Windows 10 prompts for credentials when the device is unenrolled.

Workaround: Post-enrollment, wait for approximately 2 minutes and try to connect to the controller. The user will get the Certificate revoke message, and after accepting the warning the profile and certificates are deleted.

PZT-14224

Symptom: If you have a classic OnDemand VPN connection and your connection is in monitoring mode, when you attempt to access a resource, connects to the classic OnDemand VPN profile and displays a transition notification to the user.

Workaround: N/A

PZT-14316

Symptom: fails with Error-1111 when a classic VPN fails to resolve the FQDN.

Workaround: The user must disconnect both classic and connections, then connect first followed by the classic VPN. Alternatively, set the client DNS IP address to public to facilitate resolving classic and connections.

PZT-14581

Symptom: When for Desktops is uninstalled, stale certificates are not cleaned up.

Workaround: Manually delete certificates from the Cert/Key Store.

PZT-15072

Symptom: The AAA service should send only one alert for one object error.

Workaround: N/A

PZT-15278

Symptom: Client config- Mac- Delete and Add connection not allowed, but the Add and Delete button is not shown as disabled.

Workaround: N/A

PZT-19786

Symptom: Login not happening immediately after resetting password for account lock cases.

Workaround: N/A

PZT-20681

Symptom: "subject_name_format" and subject_name" SAML attributes are displayed under the SAML config table, and custom attributes are displayed under the SAML app attributes table as expected. Once configured, these attributes are not deleted even if the admin tries to delete them through the UI. We are still allowing deletion since we have to allow the admin to change the values if needed.

Workaround: N/A

PZT-23409

Symptom: CEF EUP on mac: Network error message is thrown in the CEF-based EUP post-authenticating with .

Workaround: Close the CEF portal and launch it again.

PZT-25360

Symptom: Gateway service REST API: Dynamic tunnel configuration values are incorrectly exposed.

Workaround: Updated APIs are targeted to be made available in v21.11.

PZT-26083

Symptom: A resource or application is intermittently not accessible when the connection resumes from the Connect-Idle state.

Workaround: Close the web browser and Launch the application through the end-user portal.

PZT-26394

Symptom: In some scenarios, logs are not visible in the Controller for an ESXi gateway.

Workaround: Perform a warm restart of the Gateway from the console.

PZT-26399

Symptom: sometimes gets stuck in a connect requested state.

Workaround: N/A

PZT-27820

Symptom: Windows 11: An internet application is blocked when the same DNS IP address is configured on both the client device's physical network interface and in the DNS settings.

Workaround: Use a different DNS IP address for the physical interface and for the DNS settings.

PZT-29002

Symptom: Manual configuration of a SAML authentication server is not supported with Gateways older than v21.12.

Workaround: Upgrade all Gateways to v21.12 or later. Alternatively, for Gateways older than v21.12, use only the metadata file based configuration method.

PZT-29280

Symptom: In some circumstances, Gateways are not being automatically upgraded as per the configured maintenance schedule.

Workaround: If a scheduled update fails, update the Gateway manually.

PZT-31744

Symptom: Application Groups filter is not shown correctly and is hidden behind another panel. Unable to view the filtered application fully in the chip below.

Workaround: None

PLD-952

Symptom: Unable to take a connection to the state where On-Demand functionality is initiated.

Workaround: N/A

Release 22.3R1

PZT-27457

Symptom: Policy failure dashboard shows compliance and network rule failures when any one of the rule is passing on the client machine having a common policy enforced which comprises of network and compliance rules together.

Workaround: None

PZT-34006

Symptom: Even when default policy evaluation fails, controller to client connection will be intact and not disconnected.

Workaround: None

PZT-35683

Symptom: CARTA Message appears in Client Window, while searching any Non Compliance application in search engine.

Workaround: Disable this prefetching feature in the browser (For example, Google Chrome).

PZT-36083

Symptom: ISAC Uninstallation will be stuck with Certificate deletion prompt on Windows for connections.

Condition: On uninstalling ISAC with client connection.

Workaround: None

PZT-36623

Symptom: Allowed domains added under any configured application shows IP address instead of the application name when accessed on Analytics dashboards.

Workaround: None

PZT-36639

Symptom: Session Details not reported on and logs are not generated.

Workaround: None. Do not edit the JSON filter manually.

PZT-36750

Symptom: Lockdown enable/disable done on tenant, taking 3-9 minutes to reflect in client connstore.dat file.

Condition: When we make changes with respect to lockdown in the tenant.

Workaround: None

PZT-36813

Symptom: Risk Sense evaluation for Windows 10 22H2 endpoints is returning as 'Not Available'.

Workaround: Install any VLC app.

PZT-36911

Symptom: Top Risky Applications chart does not show any data when gateway filter is applied on All Users dashboard.

Workaround : N/A

PZT-36976

Symptom: Internet Traffic might be blocked during reconnection after recovering from sleep.

Workaround: Restart the dsAccessService using Activity monitor or restart the machine.

PZT-36977

Symptom: connection shows "Limited connectivity" and "Invalid client Certificate" messages.

Workaround: In the UI, delete the connection and then add the connection manually.

PCS-38630

Symptom: Upgrade from pre-22.3R1 to 22.3R1 appears to be stuck after importing system data.

Condition: When upgrading the gateway from pre-22.3R1 to 22.3R1.

Workaround: The issue is seen due to increase in ICS package size. Refer https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44877/?kA13Z000000L3Z5

PCS-39165 Symptom: For realms with TOTP enabled as secondary auth server. Authentication may fail with an Internal error occurred log.
Workaround:
  • Go to Users Realm > Realm Name > Secondary Auth server.
  • Select any other Auth server available in the list and save.
  • Select the previously selected Auth server.

PCS-39291

Symptom: When Home Icon in Floating tool bar is clicked, the end-user gets "The page you requested could not be found" error.

Conditions: When the user clicks on Home Icon in the floating tool bar within an Advanced HTML5 session.

Workaround: Clear the browser cache and re-try.