https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/545995#M111611 <P>Hello,</P> <P>I have an issue with Global protect connection for our customer.</P> <P>They are trying to connect via external PC/network and are having issues.&nbsp;&nbsp;</P> <P>When they are trying fomr internal PC/network they have no issues at all.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I have a log from Global Protect app that customer send me.&nbsp;</P> <P>Can you guys help me what could be the issue here ? I am running out of ideas. If you need more screen shots or logs from Palo Alto I can provide.&nbsp;</P> <P>&nbsp;</P> Wed, 14 Jun 2023 09:51:47 GMT Jozef_Kostan 2023-06-14T09:51:47Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/545995#M111611 <P>Hello,</P> <P>I have an issue with Global protect connection for our customer.</P> <P>They are trying to connect via external PC/network and are having issues.&nbsp;&nbsp;</P> <P>When they are trying fomr internal PC/network they have no issues at all.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I have a log from Global Protect app that customer send me.&nbsp;</P> <P>Can you guys help me what could be the issue here ? I am running out of ideas. If you need more screen shots or logs from Palo Alto I can provide.&nbsp;</P> <P>&nbsp;</P> Wed, 14 Jun 2023 09:51:47 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/545995#M111611 Jozef_Kostan 2023-06-14T09:51:47Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/546018#M111619 <P>You try to connect to GlobalProtect from inside or outside the network?</P> <P>Portal and gateway run on same interface on Palo?</P> <P>Portal loads when you try to access it with browser from same computer?</P> Wed, 14 Jun 2023 12:39:36 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/546018#M111619 Raido_Rattameister 2023-06-14T12:39:36Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/546019#M111620 <P>Hello Raido,</P> <P>1/ When trying to connect from customer network it is working.&nbsp; When trying to connect via external network it is not working.&nbsp; They told me thay have some external PCs that they tried and not working.&nbsp; Right now they need a external consultant to be able to connect to Global Protect VPN and he cannot.&nbsp;</P> <P>2/ Yes both run on same interface on Palo Alto.&nbsp;</P> <P>3/ I tried from my personnal PC to get to vpnb.xxxxxxxxx.xx.com and was able to load the page.&nbsp; Tried from my work PC and same was able to load the vpnb.xxxxxx.xx.com web page.</P> <P>&nbsp;</P> <P>To add some info&nbsp;</P> <P>a/ Before 23.5.2023 the external user was able to connect via external PC.</P> <P>b/ We discovered with server gus that the Azure MFA certificate on that RADIUS server expired on 21.5.2023 so we renew it ( around 2nd of June ) as we thouoght this was the issue.&nbsp;</P> <P>c/ since 23.5.2023 the user is having issues to connect.&nbsp;</P> <P>Attaching another screen with user. Right now I think maybe it should work after the certificate renewal but looks like he locked himself on LDAP right now ?&nbsp;</P> <P>&nbsp;</P> Wed, 14 Jun 2023 12:50:56 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/546019#M111620 Jozef_Kostan 2023-06-14T12:50:56Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/546021#M111622 <P>From last screenshot.</P> <P>Portal login is with LDAP.</P> <P>Gateway login is with RADIUS.</P> <P>&nbsp;</P> <P>After 23.05 RADIUS gives timeout.</P> <P>&nbsp;</P> <P>Go to Monitor &gt; System and filter&nbsp;( subtype eq auth ) evets.</P> <P>From Monitor &gt; Traffic check if traffic is sent to RADIUS IP (in case this traffic passes Palo) and if there are return packets.</P> <P>If packets are sent but not returned then next step is to check RADIUS logs why it don't accept logins.</P> Wed, 14 Jun 2023 12:57:14 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/546021#M111622 Raido_Rattameister 2023-06-14T12:57:14Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/546027#M111624 <P>Hello Raido,</P> <P>&nbsp;</P> <P>Thank you for the info:</P> <P>I am attaching log from system monitor.&nbsp; So yeah looks like RADIUS server suddenly stopped working.&nbsp;&nbsp;</P> <P>Becasue as you can see from picture it was all working and something happened to it.</P> <P>&nbsp;</P> <P>And one more thing. Server guys do not know why but the NPA event viewer is 0. There is no log in it.&nbsp;</P> <P>&nbsp;</P> <P>And I found this in the event logs :</P> <P>This is from 12.05.2023 last time the user was able to connect without issues:</P> <P>NPS Extension for Azure MFA: CID: edbe2393-a7fb-4287-bf4d-064c8870798c : Access Accepted for user rpa with Azure MFA response: Success and message: session 31057c66-4c0c-4f2d-8064-e7041572e131</P> <P>&nbsp;</P> <P>And very first failure try from 23.05.2023</P> <P>NPS Extension for Azure MFA: IP Whitelist not intialized:: ErrorCode:: REGISTRY_CONFIG_ERROR Msg:: Neither registry entry not default value found for key: IP_WHITELIST Enter ERROR_CODE @ <A href="https://go.microsoft.com/fwlink/?linkid=846827" target="_blank">https://go.microsoft.com/fwlink/?linkid=846827</A> for detailed troubleshooting steps. . This is not an error.</P> <P>&nbsp;</P> <P>As I mentioned we renewed certificate on the RADIUS server for Azure MFA.&nbsp;&nbsp;</P> Wed, 14 Jun 2023 13:21:16 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/546027#M111624 Jozef_Kostan 2023-06-14T13:21:16Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/546035#M111626 <P>If NPS don't log then try "auditpol /set /subcategory:”Network Policy Server” /success:enable /failure:enable"</P> <P>&nbsp;</P> <P><A href="https://travelingpacket.com/2022/03/02/microsoft-nps-logs-not-showing-in-event-viewer/" target="_blank">https://travelingpacket.com/2022/03/02/microsoft-nps-logs-not-showing-in-event-viewer/</A></P> Wed, 14 Jun 2023 14:28:09 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-could-not-connect-to-the-global-protect-gateway/m-p/546035#M111626 Raido_Rattameister 2023-06-14T14:28:09Z