Internal host detection issue

MNoble — Thu, 19 Oct 2023 16:19:38 GMT

Hello,

Current setup is a 440 running 10.1.10-h2.

Global Protect version is 6.1.2

I have double and triple checked that it's not a reverse dns issue, following this article:

GlobalProtect app fails to detect Internal Network with Interna... - Knowledge Base - Palo Alto Networks

global protect tries to connect internally to the vpn it fails with this error "The network connection is unreachable, or the portable is unresponsive. check the network connection and reconnect."

We have no internal Gateway configured.

Thanks!

The PanGPS.log snippet:

P11368-T10824)Debug(3062): 10/19/23 10:39:46:681 Gateway: vpn gateway, client IP: 10.51.10.30
(P11368-T10824)Debug(2616): 10/19/23 10:39:46:684 retrieve info of gateway vpn gateway
(P11368-T10824)Debug(2402): 10/19/23 10:39:46:684 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit).
(P11368-T10824)Debug(2370): 10/19/23 10:39:46:684 open http session. agent is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit)
(P11368-T10824)Debug(2402): 10/19/23 10:39:46:684 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit).
(P11368-T10824)Debug( 469): 10/19/23 10:39:46:685 winhttp SetSecureProtocol, hSession=06412540, bAllProtocol=0, gbFips=0
(P11368-T10824)Debug(2627): 10/19/23 10:39:46:685 Skip setting proxy for creating tunnel to gateway vpn.dpwt.com
(P11368-T10824)Debug(3537): 10/19/23 10:39:46:685 m_msp->IsInPreserveTunnel() 0, m_msp->IsPrelogonRenameAuthFail() 0
(P11368-T10824)Debug(14428): 10/19/23 10:39:46:685 Set m_bPrelogonRenameAuthFail to 0
(P11368-T10824)Debug(3567): 10/19/23 10:39:46:685 CPanGateway::RetrieveGatewayInfo portal default-browser value is 0, support yes
(P11368-T10824)Debug(3582): 10/19/23 10:39:46:685 ----Gateway Pre-login starts----
(P11368-T10824)Debug(11821): 10/19/23 10:39:46:685 Check cert of server vpn
(P11368-T10824)Debug(11836): 10/19/23 10:39:46:686 File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(P11368-T10824)Debug( 931): 10/19/23 10:39:46:686 SSL connecting to VPN IP
(P11368-T10824)Debug( 564): 10/19/23 10:39:46:692 Network is reachable
(P11368-T23104)Debug(2402): 10/19/23 10:39:48:687 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit).
(P11368-T23104)Debug( 564): 10/19/23 10:39:48:691 Network is reachable
(P11368-T23104)Debug( 149): 10/19/23 10:39:48:715 CPD, pan_http_captive_portal_detection: status is 200
(P11368-T23104)Debug( 162): 10/19/23 10:39:48:715 CPD, pan_http_captive_portal_detection() - captive portal isn't detected against server.
(P11368-T23104)Debug(5615): 10/19/23 10:39:48:715 CPD, index=0, iRet=-1, lastError=0
(P11368-T23104)Debug(5633): 10/19/23 10:39:48:715 CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 200
(P11368-T23104)Debug(2402): 10/19/23 10:39:48:715 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit).
(P11368-T23104)Debug( 564): 10/19/23 10:39:48:722 Network is reachable
(P11368-T23104)Debug( 149): 10/19/23 10:39:48:735 CPD, pan_http_captive_portal_detection: status is 204
(P11368-T23104)Debug( 155): 10/19/23 10:39:48:735 CPD, no matching string
(P11368-T23104)Debug(5615): 10/19/23 10:39:48:735 CPD, index=1, iRet=-1, lastError=-1
(P11368-T23104)Debug(5633): 10/19/23 10:39:48:735 CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 204
(P11368-T23104)Debug(2402): 10/19/23 10:39:48:735 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit).
(P11368-T23104)Debug( 564): 10/19/23 10:39:48:753 Network is reachable
(P11368-T23104)Debug( 149): 10/19/23 10:39:48:764 CPD, pan_http_captive_portal_detection: status is 200
(P11368-T23104)Debug( 162): 10/19/23 10:39:48:764 CPD, pan_http_captive_portal_detection() - captive portal isn't detected against server.
(P11368-T23104)Debug(5615): 10/19/23 10:39:48:764 CPD, index=2, iRet=-1, lastError=-1
(P11368-T23104)Debug(5633): 10/19/23 10:39:48:764 CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 200
(P11368-T23104)Debug(5823): 10/19/23 10:39:48:764 CaptivePortalDetectionThread: Didn't detect captive portal currently, and bCaptivePortalDetectedOnce=(0).
(P11368-T23104)Debug(5702): 10/19/23 10:39:48:764 CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(P11368-T10824)Debug( 104): 10/19/23 10:39:51:728 connect failed with 5 seconds timeout.
(P11368-T10824)Debug( 626): 10/19/23 10:39:51:728 Failed to connect to vpn on 443 with return value -1 and socket error 0(0)
(P11368-T10824)Debug( 936): 10/19/23 10:39:51:728 do_tcp_connect() failed
(P11368-T10824)Error(11868): 10/19/23 10:39:51:728 ConnectSSL: Failed to connect to '208.76.117.6:443'. Disconnect ssl.
(P11368-T10824)Debug(11881): 10/19/23 10:39:51:728 Cannot get server cert of 208.76.117.6
(P11368-T10824)Debug(6411): 10/19/23 10:39:51:728 Already tried both ipv4 and ipv6 for gateway vpn
(P11368-T10824)Debug(6422): 10/19/23 10:39:51:728 pretunnel latency (manual gateway) is 1
(P11368-T10824)Error(3633): 10/19/23 10:39:51:728 Failed to connect to gateway vpn domain.
(P11368-T10824)Debug(5756): 10/19/23 10:39:51:728 Show Gateway vpn: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
(P11368-T10824)Info (2672): 10/19/23 10:39:51:728 Failed to retrieve info for gateway vpn.
(P11368-T10824)Debug(2683): 10/19/23 10:39:51:728 tunnel to vpn is not created.
(P11368-T14704)Debug(2537): 10/19/23 10:39:51:728 Setting debug level to 5
(P11368-T10824)Error(6354): 10/19/23 10:39:51:728 NetworkDiscoverThread: failed to discover external network.
(P11368-T10824)Debug(7417): 10/19/23 10:39:51:728 --Set state to Disconnected
(P11368-T10824)Debug(6418): 10/19/23 10:39:51:728 NetworkDiscoverThread: PortalStatus is 2, HasLoggedOnGateway is 0
(P11368-T10824)Debug(6420): 10/19/23 10:39:51:728 NetworkDiscoverThread: ((PORTAL_CACHED_CONFIG == m_nPortalStatus) && !m_bHasLoggedOnGateway)
(P11368-T10824)Debug(6441): 10/19/23 10:39:51:728 Network discovery is not ready, set GP VPN status as disconnected
(P11368-T10824)Debug(11990): 10/19/23 10:39:51:728 SetVpnStatus called with new status=0, Previous Status=0
(P11368-T10824)Debug(4376): 10/19/23 10:39:51:728 UpdatePrelogonStateForSSO() - tunnel state = Disconnected
(P11368-T10196)Debug( 329): 10/19/23 10:39:55:648 PanGpHipMp.exe exit for checking misssing patches.
(P11368-T10196)Debug( 393): 10/19/23 10:39:55:648 CheckHipMissingPatchInOtherProcess(): exits.
(P11368-T10196)Debug( 471): 10/19/23 10:39:55:648 Hip missing patch checking duration is 9
(P11368-T10824)Debug(6529): 10/19/23 10:39:56:741 NetworkDiscoverThread: Network discover is not successful. Retry.
(P11368-T10824)Info (6547): 10/19/23 10:39:56:741 OnDemand mode, skip retry network discovery.
(P11368-T10824)Debug(5946): 10/19/23 10:39:56:741 NetworkDiscoverThread: wait for network discover event.

Re: Internal host detection issue

TomYoung — Thu, 19 Oct 2023 17:17:53 GMT

Hi @MNoble ,

If you do not have an internal gateway configured, then you are not using Internal Host Detection. This is most likely your issue -> https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000Cm65.

Do you want your internal users to build an SSL or IPsec tunnel to the NGFW? If not, configure an internal gateway with Tunnel Mode unchecked and configure Internal Host Detection. Then you can use GP for User-ID only.

If you do want to build the tunnel, then create the NAT rule as described in the document so the traffic to the portal/gateway is not NATed.

Thanks,

Tom

Re: Internal host detection issue

MNoble — Thu, 19 Oct 2023 18:57:58 GMT

Thanks for your reply @TomYoung

My goal is for always on clients to be able to detect when on internal network but not connect to ssl/ipsec tunnel. my current situation is GP keeps trying to connect and showing an error.

So, an internal gateway is required in order for a global protect client to detect it's on an internal network?

Thanks

Re: Internal host detection issue

TomYoung — Thu, 19 Oct 2023 19:10:51 GMT

Hi @MNoble ,

Looking at this doc, I guess it is not required! https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways So, yes, you would configure Internal Host Detection. The internal gateway is optional.

I have seen other docs that say if the Internal Host Detection check is successful, the GP client will connect to an internal gateway. I always thought it was required.

Regardless, it sounds like you need to fix your connection to the portal. See the URL in my 1st post to resolve that issue.

Thanks,

Tom

Re: Internal host detection issue

MNoble — Mon, 23 Oct 2023 14:32:11 GMT

Sorry for the late reply,

I'm going to open up a ticket with support on this to get confirmation.

Thanks

topic Re: Internal host detection issue in GlobalProtect Discussions

Internal host detection issue

Re: Internal host detection issue

Re: Internal host detection issue

Re: Internal host detection issue

Re: Internal host detection issue