Gateway Unresponsive or unreachable.

M.Caudle — Fri, 18 Oct 2024 14:51:16 GMT

Unable to connect to one of our global protect gateways. Debug log of PanGPS attached with its attempt to connect to the gateway. I have checked all the gateway settings, and they match the working gateway, so I am at a loss on what to look for. The working Gateway is on a HA pair of 5220 in active/passive mode, and the non working gateway is on a HA pair of 3420 in active/passive mode.

(P4512-T18044)Debug(5680): 10/18/24 09:30:16:912 getaddrinfo host.GetString() <correct external ip>
(P4512-T18044)Debug(5804): 10/18/24 09:30:16:951 Gateway <correct external ip>(<correct external ip>): ipv4 <correct external ip>, ipv6 , FQDN yes
(P4512-T18044)Debug(4987): 10/18/24 09:30:16:951 Reset saml auth status for manual gateway
(P4512-T18044)Debug(4992): 10/18/24 09:30:16:951 dwRemoteHost is 0 for gateway <correct external ip>. Retrieve client ip.
(P4512-T18044)Debug(3106): 10/18/24 09:30:16:951 Gateway: <correct external ip>, client IP: 172.22.145.27
(P4512-T18044)Debug(7993): 10/18/24 09:30:16:951 --Set state to Connecting...
(P4512-T18044)Debug(2645): 10/18/24 09:30:16:951 retrieve info of gateway <correct external ip>
(P4512-T18044)Debug(2410): 10/18/24 09:30:16:951 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.2.2-259 (Microsoft Windows 10 Enterprise , 64-bit).
(P4512-T18044)Debug(2468): 10/18/24 09:30:16:951 open http session. agent is PAN GlobalProtect/6.2.2-259 (Microsoft Windows 10 Enterprise , 64-bit)
(P4512-T18044)Debug(2410): 10/18/24 09:30:16:951 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.2.2-259 (Microsoft Windows 10 Enterprise , 64-bit).
(P4512-T18044)Debug( 476): 10/18/24 09:30:16:956 winhttp SetSecureProtocol, hSession=f7b78da0, bAllProtocol=0, gbFips=0
(P4512-T18044)Debug(2656): 10/18/24 09:30:16:956 Skip setting proxy for creating tunnel to gateway <correct external ip>
(P4512-T18044)Debug(3599): 10/18/24 09:30:16:956 m_msp->IsInPreserveTunnel() 0, m_msp->IsPrelogonRenameAuthFail() 0
(P4512-T18044)Debug(16119): 10/18/24 09:30:16:956 Set m_bPrelogonRenameAuthFail to 0
(P4512-T18044)Debug(3629): 10/18/24 09:30:16:956 CPanGateway::RetrieveGatewayInfo portal default-browser value is 0, support yes
(P4512-T18044)Debug(3644): 10/18/24 09:30:16:956 ----Gateway Pre-login starts----
(P4512-T18044)Debug(13355): 10/18/24 09:30:16:956 Check cert of server <correct external ip>
(P4512-T18044)Debug(13370): 10/18/24 09:30:16:956 File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(P4512-T18044)Debug( 931): 10/18/24 09:30:16:956 SSL connecting to <correct external ip>
(P4512-T18044)Debug( 571): 10/18/24 09:30:16:960 Network is reachable
(P4512-T18044)Debug( 104): 10/18/24 09:30:21:989 connect failed with 5 seconds timeout.
(P4512-T18044)Debug( 626): 10/18/24 09:30:21:989 Failed to connect to <correct external ip> on 443 with return value -1 and socket error 0(0)
(P4512-T18044)Debug( 936): 10/18/24 09:30:21:989 do_tcp_connect() failed
(P4512-T18044)Error(13402): 10/18/24 09:30:21:989 ConnectSSL: Failed to connect to '<correct external ip>:443'. Disconnect ssl.
(P4512-T18044)Debug(13415): 10/18/24 09:30:21:989 Cannot get server cert of <correct external ip>
(P4512-T18044)Debug(6518): 10/18/24 09:30:21:989 Already tried both ipv4 and ipv6 for gateway <correct external ip>
(P4512-T18044)Debug(6529): 10/18/24 09:30:21:989 pretunnel latency (manual gateway) is 1
(P4512-T18044)Error(3695): 10/18/24 09:30:21:989 Failed to connect to gateway <correct external ip>.
(P4512-T18044)Debug(5837): 10/18/24 09:30:21:989 pg, error message for manual select gateway will not show.
(P4512-T18044)Debug(5851): 10/18/24 09:30:21:989 Show Gateway <correct external ip>: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.

Re: Gateway Unresponsive or unreachable.

JayGolf — Wed, 23 Oct 2024 15:17:20 GMT

Hi @M.Caudle ,

It looks like the issue might be the SSL cert. The log shows, “Cannot get server cert,” I’d recommend double-checking that the SSL/TLS certificate on the non-working gateway is set up properly and matches the one on your working gateway. Also, make sure the certificate chain is complete and trusted by the client.

topic Gateway Unresponsive or unreachable. in GlobalProtect Discussions

Gateway Unresponsive or unreachable.

Re: Gateway Unresponsive or unreachable.