User unable to connect to VPN portal address after USMT data transfer to new PC

KawaJosh — Thu, 05 Jan 2023 21:33:36 GMT

We recently started using Smart Deploy to image computers, and capture/deploy user profile data. I am having an issue that is hit or miss with each user profile that is migrated to the newly imaged computer using Smart Deploy (utilizes USMT). Smart Deploy leaves the default MIG.user, MIG.docs, and MIG.apps as is with the scan state and load state. I have the Application settings unchecked (Basically leaving out the MIG.apps).

The base imaged computer before data is transferred and after data is transferred will work with any other user attempting to connect to the VPN portal address, but the user whose data was transferred to that PC is unable to connect to the primary VPN portal address BUT is able to connect to the secondary VPN portal address. A quick note about the secondary is that users within our division never use the secondary or attempt to connect to it, only the primary. I have cleared out the computer and user certificates on the old machine, uninstalled Global Protect, deleted global protect files/folders, and ran a registry application to repair any issues. I also manually installed the VPN certificates on the new machine with no luck.

I then tried to capture the data again and redeploy it to the machine (after putting a new image on it again) and get the same error. Any help/ideas would be appreciated, thank you!

"The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect."

Re: User unable to connect to VPN portal address after USMT data transfer to new PC

nikoolayy1 — Mon, 09 Jan 2023 07:59:32 GMT

Did you do pcap on the firewall portal 1 to see if the client reaches the portal also did you check for drop pcap or global counters (you can see https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/td-p/402102 )? Also check the Globalprotect logs on Firewall portal GUI or the HIP match logs.

You may also check if there is an issue between the AAA server and the Palo Alto firewall as mentioned in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBufCAG&lang=en_US%E2%80%A9 . As it is just this user maybe not but maybe the AAA server does not return in time a reply.

Outside of that also collect logs from the PANGPS service on the computer https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS

My final thought is as you migrated all the data maybe things that shouldn't have been migrated have been like the globalprotect cookies or system info that the portal collects for HIP checks, so to clear the connection on the globalprotect agent and if it does not helpreinstall VPN agent on the computer. As the tool you use for migration maybe is nor migrating all the req keys for example, the issue may not be with Palo Alto, so also check with the tool vendor. Usefull links:

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/about-globalprotect-user-authentication/how-does-the-app-know-what-credentials-to-supply/cookie-authentication-on-the-portal-or-gateway

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POUICA4&lang=en_US%E2%80%A9

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/globalprotect-for-internal-hip-checking-and-user-based-access

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLSYCA4

topic User unable to connect to VPN portal address after USMT data transfer to new PC in GlobalProtect Discussions

User unable to connect to VPN portal address after USMT data transfer to new PC

Re: User unable to connect to VPN portal address after USMT data transfer to new PC