topic Re: Global Protect SSL error in General Topics

Global Protect SSL error

scantwell — Tue, 12 Mar 2013 16:22:07 GMT

Ok group I have a nice and simple question about trying to get GP up and running. Everything (I think) looks right, and configured, but I am not able to quite get my client connected to the Gateway

(T10944) 03/12/13 11:56:27:075 Debug( 742): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer exists. File is tca.cer

(T10944) 03/12/13 11:56:27:075 Debug( 340): set trusted root ca file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer

(T10944) 03/12/13 11:56:27:075 Debug(3645): connect ssl.

(T10944) 03/12/13 11:56:48:075 Debug( 179): Failed to connect to 207.96.178.67 on 443 (error: 10051) <======

(T10944) 03/12/13 11:56:48:075 Error( 296): Server Error: Connect to 207.96.178.67:443 Failed

(T10944) 03/12/13 11:56:48:075 Error( 135): do_tcp_connect()

(T10944) 03/12/13 11:56:48:075 Error(3663): ConnectSSL: Failed to connect to '207.96.178.67:443'. Disconnect ssl.

(T10944) 03/12/13 11:56:48:075 Debug(3710): returns 0.

Ok... So what does error 10051 mean? And how do I troubleshoot it further? I have a single FW, using 2 Internet facing interfaces (one I used for Portal, other is for GW)

I have authenticated to the Portal and downloaded my agent software. I have my configuration sent to "On Demand" and I when I attempt to connect these are the messages I have.

I have confirmed that I created a self-signed CA on my FW, and signed 3 certs (portal, GW, and agent)... still nothing....

Thoughts... HELP... Anything??? All will be appreciated.

PA TAC.... if you have help, this would be most appreciated....

I think I am missing something very small. (maybe. :smileysilly:)

Re: Global Protect SSL error

dpalani — Tue, 12 Mar 2013 16:35:19 GMT

Hi,

Following steps would help you in identifying the issue.

1) Confirm that the Common name on the certificate and the portal address address you are trying to reach from the client are the same

2) Confirm the gateway certificate common name and the gateway ip/fqdn in the client config under the portal config match.

3) Create an untrust to untrust zone allow rule, this will help you capture the sessions.

Run show session all filter destination-port 443 destination <ip>.

Re: Global Protect SSL error

ericgearhart — Tue, 12 Mar 2013 16:35:36 GMT

What does the 'Monitor' tab on the firewall say about this traffic?

Make sure you check "Log at session start" and check "Log at session end", just for the sake of troubleshooting

Re: Global Protect SSL error

scantwell — Tue, 12 Mar 2013 17:06:58 GMT

1) Common Name on Portal is the IP, and I can https:// into the Portal, put in username/password so I am passing this portion. 2) I have *just* changed my config so that my Portal AND my gateway are configured using only 1 outside IP (remember, my original plan was Portal and GW on 2 separate IP). I have my authentication in Portal set to local (eventually will do LDAP, and use certs, etc) but I am still troubleshooting. So I can get to my Portal, and authenticate, but I cannot get my VPN tunnel up, as I get the error. As for my rules, I do have a Internet (with my specific IP) to Internet Zone ALLOWED at the top of my rulebase, with Log at Start enabled. I can see that my rule hitting for the Portal, and I see my rule hitting for attempting to communicate with my GW, but I get an Incomplete (so my handshake or similar is not working out)

Re: Global Protect SSL error

dpalani — Tue, 12 Mar 2013 17:54:29 GMT

Hi,

Your original post says you have two interfaces facing the internet. Which one is the the default gateway to internet ?

Do you have any destination NAT configured on the firewall ?

Re: Global Protect SSL error

scantwell — Wed, 13 Mar 2013 17:22:53 GMT

Howdy again. I have my GP-GW interface (1/1) that is public facing, with static route to my ISP as my default route (or route of last resort). My GP-Portal interface (1/4) is hosting the portal. I wondered if some sort of asymmetric routing was going on, so I finally configured my GP-GW to be both Portal AND the Gateway. I am using local authentication. In troubleshooting this, it seems that trying to connect to my Portal, when configured on 1/4 works fine. If I update my configuration (and all settings) to use my 1/1 interface as my Portal, I cannot even connect to my Portal. So I am thinking it is something related to my 1/1 interface, which otherwise works 99% (1% is GP, which is not working. :P) If anyone ever wants to help directly troubleshoot this with me, i.e. remote connection to my desktop, etc., I would be more than happy to oblige. Like I said, if knew what error 10051 meant, it would better explain how/why this is going on.

Re: Global Protect SSL error

dpalani — Wed, 13 Mar 2013 18:28:00 GMT

Hi,

Looks like it is a asymmetric routing issue. To get more clarity can you run the following commands in cli and attach the outputs.

show global-protect-gateway gateway name <g/w name>

show routing route

show interface all

show running pbf-policy

- Deepak

Re: Global Protect SSL error

Quinton — Wed, 13 Mar 2013 19:39:04 GMT

It does not look like the error is related to certs imo... It seems like the GP agent cannot connect to the GP gateway IP on E1/1 after authenticating to the portal on E1/4 - there is no asymmetrical routing issue here. Seems like a sensible config since the portal only pushes down settings to the GP client and then "quits". The GP agent then decides which gateway to connect to based on the settings pushed down from the portal. Thus there cannot be a asymmetrical route issue since the portal and gateway are not linked in anyway. As you mentioned, changing the portal from E1/4 to E1/1 causes it to fail as well. How about trying to setup the GP portal and gateway on E1/4 as a test?