topic Re: RHEL 8: Cannot connect to local gpd service in GlobalProtect Discussions

RHEL 8: Cannot connect to local gpd service

D.White003479 — Tue, 27 Feb 2024 13:39:07 GMT

RHEL 8.9

GlobalProtect_UI_focal_rpm-6.1.4.0-711.rpm

Any "globalprotect" command on the command line returns:

Cannot connect to local gpd service.

The PanGPA "service" exits very quickly.

Any suggestions ?

Re: RHEL 8: Cannot connect to local gpd service

kiwi — Wed, 28 Feb 2024 09:25:00 GMT

Hi @D.White003479 ,

RH 8.9 is not listed on the compatibility matrix.

Guess it's not (yet) supported:

https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/where-can-i-install-the-globalprotect-app

Kind regards,

-Kim.

Re: RHEL 8: Cannot connect to local gpd service

D.White003479 — Wed, 28 Feb 2024 11:40:24 GMT

It is not explicitly listed, but then neither is 8.2, 8.5, 8.6, or 8.8

Sorry, not helpful.

Re: RHEL 8: Cannot connect to local gpd service

kiwi — Wed, 28 Feb 2024 14:01:58 GMT

Hi @D.White003479 ,

Sounds like PanGPA isn't actually running anymore. Can you confirm ?

$ ps -ef | grep -i pangpa

If not, can you try this to start PanGPA manually and see if that works ?:

$ source /etc/profile.d/PanMSInit.sh (might be located in another path ... not sure about that).

Kind regards,

-Kim.

Re: RHEL 8: Cannot connect to local gpd service

D.White003479 — Wed, 28 Feb 2024 14:20:34 GMT

The file /etc/profile.d/PanMSInit.sh contains:

#!/bin/bash
PANGPA=/opt/paloaltonetworks/globalprotect/PanGPA
pgrep -u $USER PanGPA > /dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ -f $PANGPA ]; then 
        $PANGPA start &
    fi
fi

That binary exits only a few seconds after running it.

Is there any known way to debug this ?

Re: RHEL 8: Cannot connect to local gpd service

kiwi — Wed, 28 Feb 2024 15:28:08 GMT

Hi @D.White003479 ,

Seems like the script isn't being initialised by the correct user.

Can you check if the user table actually shows your logged in user ?

> who -u

Make sure to run globalprotect as the same user running PanGPA.

Similar issue discussed here:

https://live.paloaltonetworks.com/t5/general-topics/globalprotect-cannot-connect-to-local-gpd-service/m-p/247199#M70350

Hope this helps,

-Kim.

Re: RHEL 8: Cannot connect to local gpd service

D.White003479 — Wed, 28 Feb 2024 15:56:23 GMT

PanGPA will not stay running.

Why ?

Re: RHEL 8: Cannot connect to local gpd service

kiwi — Wed, 28 Feb 2024 17:16:40 GMT

Hi @D.White003479 ,

You might get more information increasing to debug log level and checking the panGPA.log file.

Kind regards,

-Kim.

Re: RHEL 8: Cannot connect to local gpd service

D.White003479 — Wed, 28 Feb 2024 18:15:01 GMT

The Linux client comes with no instructions or documentation.

How do I set the logging level ?

From a fresh reboot, I tried running the following commands:

globalprotect launch-ui
globalprotect

I also ran

/opt/paloaltonetworks/globalprotect/PanGPA start &

a few times. The quick response each time was

[1]+ Done /opt/paloaltonetworks/globalprotect/PanGPA start

and my process table:

$ ps -ef | grep global
root 1151 1 0 17:38 ? 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPS
<userid> 2547 2231 0 17:40 tty2 00:00:00 dbus-run-session /opt/paloaltonetworks/globalprotect/PanGPUI
<userid> 2568 2547 0 17:40 tty2 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPUI

Now for the log files:

From my home directory:

$ cat .GlobalProtect/PanGPI.log 
P3029-T1837705024 02/28/2024 17:45:46:522 Info ( 226): ##############Run GPI into direct mode.##############
P3029-T1817569024 02/28/2024 17:45:46:522 Info ( 687): debug thread starts
chmod: cannot access '/*.log': No such file or directory
P3029-T1837705024 02/28/2024 17:45:46:523 Error( 80): CPanMsgQueue::create - failed to open message queue. error = 2
P3029-T1837705024 02/28/2024 17:45:46:523 Error( 50): ConnectToGPA fail with error 2.
P3029-T1817569024 02/28/2024 17:45:47:524 Info ( 693): debug thread ends
P3035-T-620284096 02/28/2024 17:45:54:501 Info ( 212): ##############Run GPI into prompt mode.##############
P3035-T-640420096 02/28/2024 17:45:54:501 Info ( 687): debug thread starts
chmod: cannot access '/*.log': No such file or directory
P3035-T-620284096 02/28/2024 17:45:54:501 Error( 80): CPanMsgQueue::create - failed to open message queue. error = 2
P3035-T-620284096 02/28/2024 17:45:54:501 Error( 50): ConnectToGPA fail with error 2.
P3035-T-640420096 02/28/2024 17:45:55:501 Info ( 693): debug thread ends

and


$ cat .GlobalProtect/PanGPUI.log 
P2568-T1132455680 02/28/2024 17:40:06:094 Info ( 687): debug thread starts
P2568-T2009580416 02/28/2024 17:43:07:303 Error( 89): Socket unable to connect to PanGPA
P2568-T2009580416 02/28/2024 17:43:07:303 Info ( 90): Retrying connection to PanGPA. Number of retries: 181

What is it trying to access to run a "chmod" on ?

Why am I getting "failed to open message queue" ?

and from /opt/paloaltonetworks:

$ cat /opt/paloaltonetworks/globalprotect/pan_gp_event.log
02/28/2024 17:38:43:863 [Info ]: GlobalProtect service started (client version: 6.1.4-711, OS version: Linux Red Hat Enterprise Linux 8.9).

and finally

$ cat /opt/paloaltonetworks/globalprotect/PanGPS.log
P1151-T733546304 02/28/2024 17:38:43:528 Debug( 336): PanGPS, working directory is /opt/paloaltonetworks/globalprotect/
P1151-T733546304 02/28/2024 17:38:43:529 Info ( 539): ####################### Start PanGPS service (ver: 6.1.4-711) #######################
P1151-T733546304 02/28/2024 17:38:43:529 Info ( 540): Debug level is 5, log path is /opt/paloaltonetworks/globalprotect/
P1151-T733546304 02/28/2024 17:38:43:530 Info ( 541): User is (null), home is /root, login is (null)
P1151-T733546304 02/28/2024 17:38:43:530 Info ( 150): Predeployed log-path-service is not set
P1151-T733546304 02/28/2024 17:38:43:530 Info ( 439): Get OS info: Red Hat Enterprise Linux 8.9
P1151-T733546304 02/28/2024 17:38:43:536 Debug( 464): Serial number is VMware-<redacted>
P1151-T733546304 02/28/2024 17:38:43:536 Debug( 107): IsDaemon is 1
P1151-T733546304 02/28/2024 17:38:43:541 Info ( 121): PrelogonEnabled is 0
P1151-T733546304 02/28/2024 17:38:43:541 Info ( 504): cannot open /var/run/PanGPS.pid, assume no old instance running
P1151-T711235328 02/28/2024 17:38:43:541 Info ( 687): debug thread starts
P1151-T733546304 02/28/2024 17:38:43:548 Debug( 285): stopping split tunnel feature!
P1151-T733546304 02/28/2024 17:38:43:548 Debug( 27): split tunnel script dir /opt/paloaltonetworks/globalprotect/network/config
P1151-T733546304 02/28/2024 17:38:43:551 Debug( 397): Uninstalling iptables DNS chain...
P1151-T733546304 02/28/2024 17:38:43:630 Debug( 27): split tunnel script dir /opt/paloaltonetworks/globalprotect/network/config
P1151-T733546304 02/28/2024 17:38:43:630 Debug( 459): Uninstalling iptables Split Tunnel chain & routing tables...
P1151-T733546304 02/28/2024 17:38:43:773 Debug( 306): split tunnel stopped!
P1151-T733546304 02/28/2024 17:38:43:773 Debug( 61): psv init called
P1151-T733546304 02/28/2024 17:38:43:833 Info (2458): CPanMSServiceLinux::findJoinDomain: szDomainName is : <DOMAIN>
P1151-T733546304 02/28/2024 17:38:43:833 Debug( 69): PanMSServiceLinux:ctor: m_szJoinDomain <DOMAIN>, m_szJoinDomainRaw <DOMAIN>
P1151-T733546304 02/28/2024 17:38:43:833 Debug( 72): PanMSServiceLinux:ctor: m_domainName <DOMAIN>, m_domainNameRaw <DOMAIN>
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 683): Service-only is no
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 735): Kerberos auth, stopOnKerberosFail=0()
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 740): Prefer ipv6 is yes.
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 763): CPanMSService::Init connect timeout 5, received timeout 30, portal timeout 5 
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 800): CPanMSService::Init fips: fipsc-cc-mode-enabled 
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 810): CPanMSService::Init enable-fips-cc-mode 
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 821): CPanMSService::Init fips: m_bFipsModeRequired 0 
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 238): GetValueBinary size 6
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 899): Mac address is <00-00-00-00-00-00 redacted>
P1151-T733546304 02/28/2024 17:38:43:839 Debug(2402): pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.4-711 (Linux Red Hat Enterprise Linux 8.9).
P1151-T733546304 02/28/2024 17:38:43:839 Info (10860): CheckPrelogon: Portal is , PrelogonEnabled is no
P1151-T733546304 02/28/2024 17:38:43:861 Debug( 949): override-cc-username is no
P1151-T733546304 02/28/2024 17:38:43:862 Debug(5123): event log file is /opt/paloaltonetworks/globalprotect//pan_gp_event.log
P1151-T733546304 02/28/2024 17:38:43:863 Debug( 959): Event log thread started
P1151-T702842624 02/28/2024 17:38:43:863 Debug(5092): event log thread started.
P1151-T733546304 02/28/2024 17:38:43:863 Debug( 167): Time zone GMT offset is 0
P1151-T733546304 02/28/2024 17:38:43:865 Info (10749): Portal config does not exist, try registry/plist
P1151-T733546304 02/28/2024 17:38:43:865 Debug( 354): default cert path is /etc/pki/tls/certs
P1151-T733546304 02/28/2024 17:38:43:865 Debug( 379): default private key path is /etc/pki/tls/private
P1151-T733546304 02/28/2024 17:38:43:865 Debug(1485): cfg no client cert.
P1151-T733546304 02/28/2024 17:38:43:865 Debug( 259): DLSA- agent is enable, restore lar during start up
P1151-T733546304 02/28/2024 17:38:43:865 Debug( 261): DLSA- Pan LAR file is /opt/paloaltonetworks/globalprotect/pan_lar.dat
P1151-T733546304 02/28/2024 17:38:43:866 Debug( 266): LAR file does not exist. 
P1151-T733546304 02/28/2024 17:38:43:866 Debug( 72): CControlManagerLinux::StartServer() isFipsModeRequired() 0
P1151-T733546304 02/28/2024 17:38:43:866 Debug( 554): Start tunnel driver.
P1151-T733546304 02/28/2024 17:38:43:881 Info ( 114): Service callback table gets set.
P1151-T733546304 02/28/2024 17:38:43:881 Debug( 230): set virtual interface driver started as yes
P1151-T733546304 02/28/2024 17:38:43:881 Debug( 592): Virtual interface is started
P1151-T686057216 02/28/2024 17:38:43:883 Info ( 102): Start ServerThread
P1151-T694449920 02/28/2024 17:38:43:883 Debug( 440): RecvThread started.
P1151-T686057216 02/28/2024 17:38:43:885 Debug( 84): thread StartPanGPAThread is created.
P1151-T686057216 02/28/2024 17:38:43:885 Debug(10886): CPanMSService::StartPrelogonThread DaemonProcess: yes, InPrelogon: no
P1151-T686057216 02/28/2024 17:38:43:885 Debug(13470): Enforcer is not enabled

RHEL 8 does not use iptables.

It uses nftables (and firewalld)

What is it trying to do with Kerberos ?

Where should the portal config be and what is the syntax / content ?

I have lots more questions and I am still looking for answers, please.