Difficulties creating a secondary VPN tunnel

pasmartin — Thu, 14 Aug 2014 09:24:08 GMT

I'm having trouble authenticating with a second VPN tunnel that I've created.

I've created a new Portal and Gateway, almost identical to the previous ones. Obviously with it's own external IP, certificate that fits the given domain.
Created a new Zone with a tunnel interface associated with it, which is also connected to a static route with the new GP IP range.

From GlobalProtect, I'm getting the following when I start logging:

GetHttpResponse()...

(T1192) 08/14/14 10:39:46:593 Debug(1787): portal proxyparam is empty

(T1192) 08/14/14 10:39:46:593 Debug(1838): IPADDR=vpn._______.com,PORT=443,URL=/global-protect/getconfig.esp,POST=1,PROXY_AUTO=0,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=0,ADDITIONAL_CHECK=1

(T1192) 08/14/14 10:39:46:593 Debug( 734): Send response to client for request https_request

(T1192) 08/14/14 10:39:46:794 Debug(1886): receive pan_msg_ping, 3

(T1192) 08/14/14 10:39:56:673 Debug(1886): receive pan_msg_ping, 3

(T4196) 08/14/14 10:40:03:330 Debug( 407): HipMissingPatchThread: now is 1408005603, last hip check is 1408001201, hip check interval is 3600000

(T4196) 08/14/14 10:40:03:330 Debug( 412): HipMissingPatchThread: wait -820000 ms

(T4196) 08/14/14 10:40:03:330 Debug( 434): nSleep <= 0. m_tLastHipCheckEventWakeup is 1408001201, m_dwHipCheckInterval is 3600000, Now is 1408005603.

(T4196) 08/14/14 10:40:03:330 Debug( 358): CheckHipMissingPatchInOtherProcess()

(T4196) 08/14/14 10:40:03:330 Debug( 63): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe

(T4196) 08/14/14 10:40:03:330 Debug( 324): CheckHipMissingPatchInOtherProcess(): Starting process PanGpHipMp.exe

(T1192) 08/14/14 10:40:06:705 Debug(1886): receive pan_msg_ping, 3

(T4196) 08/14/14 10:40:08:830 Error( 340): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe

(T1192) 08/14/14 10:40:16:768 Debug(1886): receive pan_msg_ping, 3

(T1192) 08/14/14 10:40:16:768 Debug(2034): HTTP_RPC, len=0, result is

(NULL)...

(T1192) 08/14/14 10:40:16:768 Error(4279): pszXmlConfig is NULL. 8614

(T1192) 08/14/14 10:40:16:768 Debug(1426): close WinHttp close handle.

(T1192) 08/14/14 10:40:16:768 Info (3746): Skip reading cached portal config.

(T1192) 08/14/14 10:40:16:768 Debug(3754): portal status is Invalid portal.

(T1192) 08/14/14 10:40:16:768 Debug(3755): returns 0.

(T1192) 08/14/14 10:40:16:768 Debug(3284): ServerThread: ProcessServerPortal -- return SendResponseToClient(socket, PAN_SERVER_PORTAL)

(T1192) 08/14/14 10:40:16:768 Debug(3070): Set state to Disconnected

(T1192) 08/14/14 10:40:16:768 Debug( 734): Send response to client for request portal

(T4196) 08/14/14 10:40:17:835 Debug( 364): PanGpHipMp.exe exit for checking misssing patches.

(T4196) 08/14/14 10:40:17:835 Debug( 362): CheckHipMissingPatchInOtherProcess(): exits.

(T4196) 08/14/14 10:40:17:835 Debug( 441): Hip missing patch checking duration is 14

(T4196) 08/14/14 10:40:39:845 Debug( 407): HipMissingPatchThread: now is 1408005639, last hip check is 1408001201, hip check interval is 3600000

(T4196) 08/14/14 10:40:39:845 Debug( 412): HipMissingPatchThread: wait -860000 ms

(T4196) 08/14/14 10:40:39:845 Debug( 434): nSleep <= 0. m_tLastHipCheckEventWakeup is 1408001201, m_dwHipCheckInterval is 3600000, Now is 1408005639.

(T4196) 08/14/14 10:40:39:845 Debug( 358): CheckHipMissingPatchInOtherProcess()

(T4196) 08/14/14 10:40:39:845 Debug( 63): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe

(T4196) 08/14/14 10:40:39:845 Debug( 324): CheckHipMissingPatchInOtherProcess(): Starting process PanGpHipMp.exe

(T4196) 08/14/14 10:40:45:353 Error( 340): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe

(T4196) 08/14/14 10:40:49:980 Debug( 364): PanGpHipMp.exe exit for checking misssing patches.

(T4196) 08/14/14 10:40:49:980 Debug( 362): CheckHipMissingPatchInOtherProcess(): exits.

(T4196) 08/14/14 10:40:49:980 Debug( 441): Hip missing patch checking duration is 10

(T4196) 08/14/14 10:41:09:993 Debug( 407): HipMissingPatchThread: now is 1408005669, last hip check is 1408001201, hip check interval is 3600000

(T4196) 08/14/14 10:41:09:993 Debug( 412): HipMissingPatchThread: wait -888000 ms

(T4196) 08/14/14 10:41:09:993 Debug( 434): nSleep <= 0. m_tLastHipCheckEventWakeup is 1408001201, m_dwHipCheckInterval is 3600000, Now is 1408005669.

(T4196) 08/14/14 10:41:09:993 Debug( 358): CheckHipMissingPatchInOtherProcess()

(T4196) 08/14/14 10:41:09:993 Debug( 63): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe

(T4196) 08/14/14 10:41:09:993 Debug( 324): CheckHipMissingPatchInOtherProcess(): Starting process PanGpHipMp.exe

(T4196) 08/14/14 10:41:15:500 Error( 340): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe

(T4196) 08/14/14 10:41:19:402 Debug( 364): PanGpHipMp.exe exit for checking misssing patches.

(T4196) 08/14/14 10:41:19:402 Debug( 362): CheckHipMissingPatchInOtherProcess(): exits.

(T4196) 08/14/14 10:41:19:402 Debug( 441): Hip missing patch checking duration is 10

(T4196) 08/14/14 10:41:39:415 Debug( 407): HipMissingPatchThread: now is 1408005699, last hip check is 1408001201, hip check interval is 3600000

(T4196) 08/14/14 10:41:39:415 Debug( 412): HipMissingPatchThread: wait -918000 ms

(T4196) 08/14/14 10:41:39:415 Debug( 434): nSleep <= 0. m_tLastHipCheckEventWakeup is 1408001201, m_dwHipCheckInterval is 3600000, Now is 1408005699.

(T4196) 08/14/14 10:41:39:415 Debug( 358): CheckHipMissingPatchInOtherProcess()

(T4196) 08/14/14 10:41:39:415 Debug( 63): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe

(T4196) 08/14/14 10:41:39:415 Debug( 324): CheckHipMissingPatchInOtherProcess(): Starting process PanGpHipMp.exe

From the system log in PAN I'm getting:

"GlobalProtect portal user authentication failed. Login from: 1.2.3.4, User name: user, Reason: Authentication failed: Invalid username or password , Auth type: profile"

Did also recieve one error: "User 'user'' failed authentication. Reason: User is not in allowlist From: 1.2.3.4" Even though I've defined the user in both the client config for the Portal, including in the authentication profile that the portal is associated with.

Anyone have suggestions to what the cause might be?
Last time I set up the GP I was instructed, so there's a chance that I've missed a few details.

Feel free to ask for more information if needed.

Appreciate the help!

Re: Difficulties creating a secondary VPN tunnel

pulukas — Thu, 14 Aug 2014 21:31:32 GMT

This is probably a problem with the LDAP authentication for the group or users assigned for the allow list. Check out the troubleshooting process in this document to confirm the LDAP connection and naming conventions.

GlobalProtect Login Fails When Using a Group in the Allow List

Re: Difficulties creating a secondary VPN tunnel

tshiv — Fri, 15 Aug 2014 03:03:22 GMT

I have also seen the above authentication failure messages in case of ldap authentication due to mis-configuration. Most common one is that "sAMAccountName" attribute missing from the authentication profile. See below for details:

topic Re: Difficulties creating a secondary VPN tunnel in General Topics

Difficulties creating a secondary VPN tunnel

Re: Difficulties creating a secondary VPN tunnel

Re: Difficulties creating a secondary VPN tunnel