Release 22.7R1.2

Symptom: Firewall device policy fails on endpoint when the advance settings are enabled on the firewall device rule with Microsoft product on Windows endpoint.

Workaround: NA

Symptom: For pre-canned roles login user, navigating to some pages shows not found message if the page is not meant for that role.

Workaround: NA

Symptom : End user logins will be blocked and admin login will show 401 error when AAA journal version is in bad state once a new ESAP version is activated under Administration > Installers > ESAP

Workaround : Edit the already configured Device Policy and remove the unsupported products from it and add the supported products. This applies for all the OPSWAT based device policies (AntiVirus, Firewall, Patch, AntiSpyware) irrespective whether these device policies are enforced on a specific Secure Access Policy

Symptom : ZTA data mismatch on the Home page (ZTA+NSA consolidated) as compared to the Overview page showing only ZTA specific data in the controller.

Workaround : NA

Symptom : User Access/Event logs not updated intermittently in the Gateways due to which analytics dashboards will not show relevant data once the gateway is upgraded to 22.7R2/22.7R1.2

Workaround : Reboot Gateway to get the user access/event logs along with Analytics data.

Symptom : Log export does not carry forward the advance filter, sort, search applied on the user access, event and admin logs under Insights

Workaround : NA

Release 22.6R1.2

Symptom: Enrollment fails from browser and will give error "SAP is not configured for /login /login/enroll" when device policy is enforced on the user sign-in policy and the same device policy is modified.

Workaround: Navigate to Secure Access->Manage Users->User Policies and need to edit/save the user policy on which device policy is mapped post changing the device policy.

Symptom: If a user group has a SAML attribute user rule mapped to it, changing SAML auth to local auth in the user policy should alert with a warning.

Workaround: Remove user rule which has SAML attribute before changing user authentication server from SAML auth to local authentication server.

Symptom: MDM device rule should not be added to the device policy which is enforced on the Admin sign-in URL under User Policies.

Workaround: NA

Symptom: Analytics dashboard shows the MDM device attribute failure if there is a hybrid device policy(Location, HC, MDM) enforced on Secure Access Policy wherein the non-compliance is actually due to HC/Location failures.

Workaround: NA

Symptom: Re-authentication using login to Ivanti Secure Access is not working.

Workaround: Click on 'connect' button manually.

Release 22.6R1

Symptom: While editing an existing FQDN app policy with App Discovery enabled to a URL based policy, App Discovery checkbox gets greyed out and not editable.

Workaround:

•Uncheck the App discovery first and then edit the application URL.

•Convert wildcard to URL.

Symptom : ZTA Gateway shows upgrade failed and shows a different version on the Secure Access Gateways dashboard when upgraded to latest version but the console of the gateway is successfully upgraded.

Workaround : None. End to end use case when connecting to the gateway is not impacted as the gateway is already upgraded to the latest version.

Symptom: Upgrade/Downgrade of ESAP might cause bad config state, if configured product not present in old release.

Workaround: If new product is configured with new ESAP version and downgraded to older version where that product is not available. Admin has to manually delete that product to get back the tenant in normal state. For example, when upgrading from ESAP 4.1.6 to ESAP 4.2.6, admin has to manually remove the vendor name "Broadcom" and product name "Symantec Endpoint Protection (0.0.x)" from the configured AV/AS/Firewall device policies.

Symptom: Gateway UI will not validate IP address /subnet and subnet GW info while creating ZTA Gateway under Manage Gateways.

Workaround: Admin has to provide the correct interface IP/subnet and subnet default Gateway info while configuring ZTA Gateway.

Symptom: UEBA Threat data for the user in the ZTA analytics dashboards as compared to the UEBA Threat report is different for the same timestamp.

Workaround: NA

Symptom: UEBA Threat score and UEBA Threat rank is not showing accurate for the users in active and historic view on the Analytics dashboards in case of simultaneous (ICS + ZTA) scenario.

Workaround: NA

Release 22.5R1.2

Symptom: Error 401 un-authorized when trying to login to the tenant with any of the pre-canned role like read-only, cxo and net admin if there are no gateways registered in the controller.

Workaround: Register ZTA gateway in the tenant controller and login.

Symptom: Page not found when trying to login with the pre-canned Network admin role configured under System >Admin Roles

Workaround : Create a custom admin role with only permissions to view the Manage Gateways dashboard which serves the purpose of the Network admin role.

Symptom: After a fresh installation of the client, it closes unexpectedly.

Condition: Manual or browser installation of the client.

Workaround: Open the client from the system tray.

Release 22.5R1

Symptom : Non-compliance policy failure reason is empty on the drill down log view dashboard when non-compliance is reported while accessing RDP/Ipv4 application type.

Workaround : NA

Symptom: Non-compliance policy failure reason on L4 (drill down) log dashboard states all the strings related to host check (HC) failures instead of a specific string, which caused the failure for that specific application access.

Workaround: NA

Symptom: The timestamp displayed under the cards in the User Info panel on Landing page is incorrect in the historic view.

Workaround: NA

Symptom: End user logins will be blocked and admin login shows 401 error when AAA journal version is in bad state once a new ESAP version is activated under Administration> Installers > ESAP.

Workaround: Edit the already configured Device Policy and remove the unsupported products from it and add the supported products. This applies for all the OPSWAT based device policies (Antivirus, Firewall, Patch, Antispyware) irrespective whether these device policies are enforced on a specific Secure Access Policy.

Symptom: Endpoint connection to the controller will fail and show the status as 'Failed' when Rule requirement > custom expression is configured under Secure Access > Manage Devices > Device Policies due to AAA journal version failure.

Workaround: Edit the device policy with custom expression and save again so AAA journal version will recover.

Release 22.4R3

Symptom : Tenant admin UI will be logged out frequently with 401 error and end user connections will be blocked due to incorrect cache in AAA.

Workaround : Find the XML import failure log in Insight > Admin logs and remove the unsupported product version from the device rule and save it.

Symptom: Multiple SAP policies with having Device policy configured with AV rule results in incorrect cache on AAA.

Workaround: NA

Symptom: Intermittently it is observed inconsistency in historic view data in analytics dashboards

Workaround: NA

Symptom :  GCP gateway is not in the connected state after reboot. Using the GCP VM control options (Reset and Stop/Start)

Workaround: Post deploying the gateway instance in GCP after the successful registration of gateway to the controller, reboot from serial console of the instance once to avoid the issue. Also we dont recommend to use hard reset to reboot the cloud gateways.

Symptom : Application details with Kerberos/LDAP/NTP or unknown port numbers not detecting while creating Secure Access Policy when migrating from ICS to ZTA.

Workaround : Admin need to modify the application details manually by adding the relevant port number at the end of FQDN/IP. For example in case of LDAP, ldap://<FQDN> need to be changed to <FQDN>:389 and for Kerberos, kerberos://<IP> need to be changed to <IP>:88

Symptoms: Ivanti client is not able to connect to the gateway and fails with error 1147 - Invalid client certificate during upgrade/rollback of a standalone or gateway group

Workaround: If it is a standalone gateway, then the gateway need to be added to a gateway group and removed back to perform certificate renewal and reboot the gateway. If a gateway is already a part of gateway group, then it needs to be removed and added back to the gateway group.

Symptom :  GCP gateway is not in the connected state after reboot using the GCP VM control options (Reset and Stop/Start)

Workaround : Post deploying the gateway instance in GCP after the successful registration of gateway to the controller, reboot from serial console of the instance once to avoid the issue. Also we dont recommend to use hard reset to reboot the cloud gateways.

Symptom: End user logins will be blocked and admin login will show 401 error when AAA journal version is in bad state once a new ESAP version is activated under Administration > Installers > ESAP.

Workaround: Edit the already configured Device Policy and remove the unsupported products from it and add the supported products. This applies to all the OPSWAT based device policies (AntiVirus, Firewall, Patch, AntiSpyware) irrespective whether these device policies are enforced on a specific Secure Access Policy.

Symptom: At end of every end UEBA Threat Score is recalculated and there could be a change in the Threat Score

Workaround: NA

Symptom: After upgrading MOD AAA  to latest build, assigned roles are missing in cache and  admin login might fail.

Workaround: After upgrading edit admin groups and then save.

Symptom : Enrollment/Auth is blocked when connection is made from an endpoint which does not have the source_IP listed in allow/block criteria in the Network device policy which is enforced on User policy.

Workaround : Create Network Device policy to allow the source_IP/s instead of denying as the default action is to deny.

Symptom : 500 error intermittently seen on the dashboard when un-enrolling clients from 'Manage Devices' and new device enrollment will fail on the endpoint due to connectivity issue between the client service and redis.

Workaround : Restart client service on the controller.

Symptom: Non-compliance count mismatch on the analytics dashboards in the summary strip and non-compliance info panel in historic view when non-compliances are reported in the same hour from the same user.

Workaround: NA.

Symptom:CARTA check failing on MAC OSX for the predefined and custom device policies.

WorkAround: Disconnect and connect again to re-evaluate the compliance and perform remediation accordingly.

Symptom: Firewall device policy not evaluated on the endpoint when default Microsoft product is configured while having 'Rule options' and rule monitoring on.

Workaround: NA

Symptom: If previously selected Client package version is not present after upgrade, latest version will be set to default with auto upgrade enabled.

Workaround: Select the required client version if the admin don't want to use latest client version after upgrade.

Symptom: RiskSense Notify device policy blocks enrollment via web browser when applied on the Enrollment User sign policy.

Workaround: Device policy should be configured with multiple device rules apart from RiskSense notify policy OR Connect to ZTA connection profile directly from Ivanti client already installed on the endpoint.

Symptom: UI misaligned when host checker policy fails in the web browser and 'Try Again' button is clicked on Windows endpoint

Workaround: NA

Symptom: Device policy enforced on the sign-in policy does not get updated when any device rule is modified to that corresponding device policy.

Workaround: Navigate to Secure Access->Manage Users->User Policies and EDIT the User policy where the device policy is enforced and 'Update User policy'.

Symptom: Non-compliance card shown on Analytics dashboard for applications having device policy enforced which is configured for one Operating System and the non-compliance is reported on another Operating System.

Workaround: NA

Symptom: SAML user with error "invalid assertion" received on the endpoint frequently in the CEF browser when connecting to ZTA.

Workaround: Click on 'Sign-in' and re-try on getting the error dialog with "invalid assertion".

Symptom: Location Device rule does not save properly when denying access from a specific city but allowing access from the same country.

Workaround:Delete the location rule and add a new one.

Symptom: No error string or instruction displayed on the Ivanti client when Network/Location/RiskSense policy is enforced on User Enrollment/Authentication Sign in URL and the compliance fails on the endpoint due to any of these device policies.

Workaround: Navigate to Insight->Logs->Access logs to view the compliance logs for admin. NA for the end user.

Symptom: ZTA gateway console may show Register as one of the option in the menu, even though the Gateway is already registered.

Condition: Sometimes with Cloud it is taking a while for the registration process to get completed. Hence when the console options are displayed after registration process is triggered , the register option is still present in the console menu.

Workaround: Pressing enter key after few secs the register option won't be present in the gateway console menu.

Symptom: Controller UI should show error while creating Gateway Group if one of the Gateway in the Gateway Group is mapped with a known network tag in Gateway Selector configuration.

Workaround:NA

Symptom: Session Migration from one network to another still shows the session with the older source IP under Insights->Users-> Active Sessions.

Workaround: NA

Symptom: Time Of Day Device policy cannot be enforced while creating Secure Access Policy when gateway selectors are used.

Workaround: Use standalone gateways or gateway groups instead of gateway selectors.

Symptom: Report format CSV/JSON has the epoch timestamp instead of human readable.

Workaround : NA

Symptom : Authentication URL gives error as 'SAP is not configured' when trying to open from browser

Workaround : Navigate to Secure Access->Manage Users->User Groups. Edit the user group and save it again.

SymptomThe timestamp displayed under the cards in the User Info panel on Landing page is incorrect in the historic view.

Workaround: NA

Symptom: Sankey chart does not show the exact path for application being accessed with respect to user group.

Workaround: NA

Symptom: Allowed domains added under any configured application shows IP address instead of the application name when accessed on analytics dashboards.

Workaround: NA

Symptom: Sign in button is visible for the end user even when the UEBA score has crossed the threshold and user is denied login.

Workaround: NA

Symptom: Ivanti client will not be able to connect to the gateway and fails with error 1147 - Invalid client certificate.

Workaround: Remove gateway from the gateway group and then add it back.

Symptom: Policy failure dashboard shows compliance and network rule failures when any one of the rule is passing on the client machine having a common policy enforced which comprises of network and compliance rules together.

Workaround: NA

Symptom: MFA Support : signing in an older version client through a MFA device policy with TOTP enabled causes a loading components page or loop after TOTP registration in the end-user portal.

Workaround: TOTP is supported for client versions applicable to the 22.2R1 release only. Make sure your client software is up-to-date.

Symptom: Admin rules cannot be deleted when attached to an admin group.

Workaround: Select only rules that are not associated with any admin groups for deletion.

Symptom: Applications page lacks row level actions.

Workaround: Scroll to top after selection to edit/delete.

Symptom: Sign in button is visible for the end user even when the UEBA  score has crossed the threshold and user is denied login.

Workaround: N/A

Symptom: Subscription page gateway filters don't work under some conditions.

Workaround: None

Symptom: Sankey chart does not show the exact path for application being accessed with respect to  user group.

Workaround: N/A

Symptom: When ICS and ZTA components already installed on the endpoint, auth re-directs to default login URL instead of custom SAML auth URL when trying to enroll with multi sign-in URL.

Workaround: Deep clean endpoint with all client components and do fresh installation.

Symptom: Non-compliance cards not seen on the Analytics Dashboards for Application types - SSH, Telnet, RDP and IPv4.

Workaround: N/A

Symptom: Authentication URL gives error as 'SAP is not configured' when trying to open from browser.

Workaround: Navigate to Secure Access > Manage Users > User Groups. Edit the user group and save it again.

Symptom: The page appears broken when visiting Gateway Logs in Chrome browser.

Workaround: Please follow these steps in your Chrome browser:

1. Go to chrome://settings/system.
2. Enable hardware acceleration by clicking on the "Use hardware acceleration when available" switch.
3. Relaunch the browser.

Symptom: Report format CSV/JSON has the epoch timestamp instead of human readable.

Workaround: N/A

Symptom: Auth Failure messages with the username as SYSTEM are observed in the Top Auth Failures chart on L2 All Users Dashboard when authentication method is SAML and the user has crossed the UEBA threat score threshold configured as a part of Actionable Insights.

Workaround: N/A

Symptom: When IP resource is added with FQDN sub-domain, FQDN sub-domain is not sent for the client.

Workaround: Add FQDN as main resource and add IP as sub-domains.

Symptom: Time Of Day Device policy cannot be enforced while creating Secure Access Policy when gateway selectors are used.

Workaround: Use standalone gateways or gateway groups instead of gateway selectors.

Symptom: If 22.2R1 or below version of gateways are present & OGS feature is configured, older gateways may not go to ready state.

Workaround: Upgrade gateways to 22.3R1 and above to use OGS feature.

Symptom: User name with %40 is shown in Tenant access log when SAML-based authentication and device policy are enabled at Secure Access Policy (SAP).

Workaround: N/A

Symptom: After un-enrollment of profile, the VPN connection should be disconnected instantly and the profile should be removed from .

Workaround: Open and move between the screens. A pop-up message should appear warning that the certificate is revoked. The profile is removed automatically.

Symptom: VOD: is not notifying the end user when Notification is turned off.

Workaround: Enable Notification for the in iOS Device settings.

Symptom: Simultaneous connections: After switching to a new user, shows the enrollment details.

Workaround: N/A

Symptom: OS check for Android is failing while updating the policy dynamically.

Workaround: None

Symptom: Dynamic policy update is not working when the same iOS OS device policy is updated for deny and allow access.

Workaround: None

Symptom: ESAP Upgrade for sometimes does not work when classic VPN and connections use different ESAP versions.

Workaround: Make sure classic VPN and connections use the same ESAP version.

Symptom: Captive portal detection is not working with connection.

Workaround: Open a browser window. The user should then be re-directed to the Captive portal for Guest authentication.

Symptom: Resource access is not going over when chrome is enabled with Secure DNS feature.

Workaround: Disable the Secure DNS option on chrome settings or use the DNS server which supports 443. https://en.wikipedia.org/wiki/Public_recursive_name_server

Symptom: [Windows] Simultaneous connections: With the bng-vpn and (corporate) connections both active, Microsoft Outlook is not reachable.

Workaround: N/A

Symptom: [Windows] nslookup with non- FQDNs is always forwarded to the DNS server.

Workaround: N/A

Symptom: 9.2.0 On-Demand : will be triggered only when the per-app application is being used to access the resources.

Workaround: N/A (Use Classic Per-app VPN applications to access the resources to get connect with ).

Symptom: 9.2.0 Transition : Update MDM profile and push disconnects the connection.

Workaround: N/A (MDM always set its latest update configuration as default and it is limitation).

Symptom: for Windows 10 prompts for credentials when the device is unenrolled.

Workaround: Post-enrollment, wait for approximately 2 minutes and try to connect to the controller. The user will get the Certificate revoke message, and after accepting the warning the profile and certificates are deleted.

Symptom: If you have a classic OnDemand VPN connection and your connection is in monitoring mode, when you attempt to access a resource, connects to the classic OnDemand VPN profile and displays a transition notification to the user.

Workaround: N/A

Symptom: fails with Error-1111 when a classic VPN fails to resolve the FQDN.

Workaround: The user must disconnect both classic and connections, then connect first followed by the classic VPN. Alternatively, set the client DNS IP address to public to facilitate resolving classic and connections.

Symptom: When for Desktops is uninstalled, stale certificates are not cleaned up.

Workaround: Manually delete certificates from the Cert/Key Store.

Symptom: The AAA service should send only one alert for one object error.

Workaround: N/A

Symptom: Client config- Mac- Delete and Add connection not allowed, but the Add and Delete button is not shown as disabled.

Workaround: N/A

Symptom: Login not happening immediately after resetting password for account lock cases.

Workaround: N/A

Symptom: "subject_name_format" and subject_name" SAML attributes are displayed under the SAML config table, and custom attributes are displayed under the SAML app attributes table as expected. Once configured, these attributes are not deleted even if the admin tries to delete them through the UI. We are still allowing deletion since we have to allow the admin to change the values if needed.

Workaround: N/A

Symptom: CEF EUP on mac: Network error message is thrown in the CEF-based EUP post-authenticating with .

Workaround: Close the CEF portal and launch it again.

Symptom: Gateway service REST API: Dynamic tunnel configuration values are incorrectly exposed.

Workaround: Updated APIs are targeted to be made available in v21.11.

Symptom: A resource or application is intermittently not accessible when the connection resumes from the Connect-Idle state.

Workaround: Close the web browser and Launch the application through the end-user portal.

Symptom: In some scenarios, logs are not visible in the Controller for an ESXi gateway.

Workaround: Perform a warm restart of the Gateway from the console.

Symptom: sometimes gets stuck in a connect requested state.

Workaround: N/A

Symptom: Windows 11: An internet application is blocked when the same DNS IP address is configured on both the client device's physical network interface and in the DNS settings.

Workaround: Use a different DNS IP address for the physical interface and for the DNS settings.

Symptom: Manual configuration of a SAML authentication server is not supported with Gateways older than v21.12.

Workaround: Upgrade all Gateways to v21.12 or later. Alternatively, for Gateways older than v21.12, use only the metadata file based configuration method.

Symptom: In some circumstances, Gateways are not being automatically upgraded as per the configured maintenance schedule.

Workaround: If a scheduled update fails, update the Gateway manually.

Symptom: Application Groups filter is not shown correctly and is hidden behind another panel. Unable to view the filtered application fully in the chip below.

Workaround: None

Symptom: Unable to take a connection to the state where On-Demand functionality is initiated.

Workaround: N/A

Symptom: Policy failure dashboard shows compliance and network rule failures when any one of the rule is passing on the client machine having a common policy enforced which comprises of network and compliance rules together.

Workaround: None

Symptom: Even when default policy evaluation fails, controller to client connection will be intact and not disconnected.

Workaround: None

Symptom: CARTA Message appears in Client Window, while searching any Non Compliance application in search engine.

Workaround: Disable this prefetching feature in the browser (For example, Google Chrome).

Symptom: ISAC Uninstallation will be stuck with Certificate deletion prompt on Windows for connections.

Condition: On uninstalling ISAC with client connection.

Workaround: None

Symptom: Allowed domains added under any configured application shows IP address instead of the application name when accessed on Analytics dashboards.

Workaround: None

Symptom: Session Details not reported on and logs are not generated.

Workaround: None. Do not edit the JSON filter manually.

Symptom: Lockdown enable/disable done on tenant, taking 3-9 minutes to reflect in client connstore.dat file.

Condition: When we make changes with respect to lockdown in the tenant.

Workaround: None

Symptom: Risk Sense evaluation for Windows 10 22H2 endpoints is returning as 'Not Available'.

Workaround: Install any VLC app.

Symptom: Top Risky Applications chart does not show any data when gateway filter is applied on All Users dashboard.

Workaround : N/A

Symptom: Internet Traffic might be blocked during reconnection after recovering from sleep.

Workaround: Restart the dsAccessService using Activity monitor or restart the machine.

Symptom: connection shows "Limited connectivity" and "Invalid client Certificate" messages.

Workaround: In the UI, delete the connection and then add the connection manually.

Symptom: Upgrade from pre-22.3R1 to 22.3R1 appears to be stuck after importing system data.

Condition: When upgrading the gateway from pre-22.3R1 to 22.3R1.

Workaround: The issue is seen due to increase in ICS package size. Refer https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44877/?kA13Z000000L3Z5

Workaround:

• Go to Users Realm > Realm Name > Secondary Auth server.
• Select any other Auth server available in the list and save.
• Select the previously selected Auth server.