topic Unable to authenticate through Global Protect in General Topics

Unable to authenticate through Global Protect

Jatin.Singh — Mon, 16 Sep 2019 05:07:39 GMT

I m currently unable to authenticate through Global Protect. I’ve looked at the config which looks correct and I can’t see anything obvious in the logs. Are you able to assist? I’ve paste the logs below.

2019-09-16 14:03:19.305 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1068): non-admin user thru Global Protect "sagierhartla@wyongccs.nsw.edu.au" ; auth profile "GP-VPN-AUTH" ; vsys "vsys1"

2019-09-16 14:03:19.305 +1000 debug: _get_authseq_profile(pan_auth_util.c:860): Auth profile/vsys (GP-VPN-AUTH/vsys1) is NOT auth sequence

2019-09-16 14:03:19.305 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP-VPN-AUTH-vsys1-mfa

2019-09-16 14:03:19.305 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1024): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:19.305 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1035): MFA configured, but bypassed for GP user ''. (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:19.305 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2560): Keep original username, i.e., whatever end-user typed, "sagierhartla@wyongccs.nsw.edu.au" in request->username

2019-09-16 14:03:19.305 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:579): This is a single vsys platform, group check for allow list is performed on "vsys1"

2019-09-16 14:03:19.306 +1000 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "sagierhartla@wyongccs.nsw.edu.au" with <profile: "GP-VPN-AUTH", vsys: "vsys1">

2019-09-16 14:03:19.306 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP-VPN-AUTH-vsys1

2019-09-16 14:03:19.306 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:655): but auth server id vector is empty for GP-VPN-AUTH-vsys1

2019-09-16 14:03:19.306 +1000 Error: _begin_auth(pan_auth_state_engine.c:1915): sending request for user "sagierhartla@wyongccs.nsw.edu.au": no remote server in auth profile "GP-VPN-AUTH" is available (could be FQDN resolution failure)

2019-09-16 14:03:19.306 +1000 failed authentication for user 'sagierhartla@wyongccs.nsw.edu.au'. auth profile 'GP-VPN-AUTH', vsys 'vsys1', From: 220.233.83.161.

2019-09-16 14:03:19.306 +1000 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'sagierhartla@wyongccs.nsw.edu.au' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6730648317623110501)

2019-09-16 14:03:35.492 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:35.492 +1000 debug: pan_authd_handle_is_kerberized_req(pan_authd_kerberos_sso.c:1050): return is_kerberized = false for <profile: "GP-VPN-AUTH", vsys: "vsys1", remotehost "", krb_sso_hostname "vpn.wyongccs.nsw.edu.au">

2019-09-16 14:03:35.560 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:997): profiledomain triggered via sysd

2019-09-16 14:03:35.560 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1017): get domain for vsys1/GP-VPN-AUTH

2019-09-16 14:03:35.560 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:35.560 +1000 debug: _get_profile_domain(pan_auth_sysd.c:980): auth prof "GP-VPN-AUTH" on vsys "vsys1" has domain: "wyongccs"

2019-09-16 14:03:35.564 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3344): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 99962, body length 2384

2019-09-16 14:03:35.564 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "GP-VPN-AUTH", vsys: "vsys1", policy: "", username "sagierhartla"> ; timeout setting: 25 secs ; authd id: 6730648317623110504

2019-09-16 14:03:35.564 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1068): non-admin user thru Global Protect "sagierhartla" ; auth profile "GP-VPN-AUTH" ; vsys "vsys1"

2019-09-16 14:03:35.564 +1000 debug: _get_authseq_profile(pan_auth_util.c:860): Auth profile/vsys (GP-VPN-AUTH/vsys1) is NOT auth sequence

2019-09-16 14:03:35.564 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP-VPN-AUTH-vsys1-mfa

2019-09-16 14:03:35.564 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1024): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:35.564 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1035): MFA configured, but bypassed for GP user ''. (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:35.564 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2560): Keep original username, i.e., whatever end-user typed, "sagierhartla" in request->username

2019-09-16 14:03:35.564 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:579): This is a single vsys platform, group check for allow list is performed on "vsys1"

2019-09-16 14:03:35.565 +1000 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "sagierhartla" with <profile: "GP-VPN-AUTH", vsys: "vsys1">

2019-09-16 14:03:35.565 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP-VPN-AUTH-vsys1

2019-09-16 14:03:35.565 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:655): but auth server id vector is empty for GP-VPN-AUTH-vsys1

2019-09-16 14:03:35.565 +1000 Error: _begin_auth(pan_auth_state_engine.c:1915): sending request for user "sagierhartla": no remote server in auth profile "GP-VPN-AUTH" is available (could be FQDN resolution failure)

2019-09-16 14:03:35.565 +1000 failed authentication for user 'sagierhartla'. auth profile 'GP-VPN-AUTH', vsys 'vsys1', From: 220.233.83.161.

2019-09-16 14:03:35.565 +1000 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'sagierhartla' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6730648317623110504)

2019-09-16 14:03:39.165 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:997): profiledomain triggered via sysd

2019-09-16 14:03:39.166 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1017): get domain for vsys1/GP-VPN-AUTH

2019-09-16 14:03:39.166 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:39.166 +1000 debug: _get_profile_domain(pan_auth_sysd.c:980): auth prof "GP-VPN-AUTH" on vsys "vsys1" has domain: "wyongccs"

2019-09-16 14:03:39.169 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3344): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 99964, body length 2384

2019-09-16 14:03:39.169 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "GP-VPN-AUTH", vsys: "vsys1", policy: "", username "spadmin"> ; timeout setting: 25 secs ; authd id: 6730648317623110506

Re: Unable to authenticate through Global Protect

GeorgiosFakis — Mon, 16 Sep 2019 15:40:56 GMT

It seems that cannot find a server in auth GP-VPN-AUTH so go there to see what you have stated and then go to server profile to see if the profile has any IP .

Re: Unable to authenticate through Global Protect

jdelio — Wed, 10 Feb 2021 21:19:36 GMT

Just wanted to let everyone know that if they are having any GlobalProtect issues, and need to troubleshoot the issue, our Very own @kiwi has written a great blog all about troubleshooting GlobalProtect.

Be sure to check it out here:
https://live.paloaltonetworks.com/t5/blogs/dotw-globalprotect-troubleshooting-tips/ba-p/383911

Re: Unable to authenticate through Global Protect

DKumarP — Tue, 18 Oct 2022 09:49:56 GMT

Hi Team,

We are also facing the same issue when we connect GP VPN getting error " the network connection is unreachable or the gateway is unresponsive"

Also we could see below logs from authd.logs

2022-10-18 06:35:00.535 +0000 debug: _get_payload(pan_authd_saml_internal.c:1064): b64 decoded payload length=5318.
2022-10-18 06:35:00.536 +0000 Received SAML Assertion from 'https://sts.windows.net/656793e6-d51d-4bb2-b5fa-c66ddd181a40/' from client '103.74.16.247'
2022-10-18 06:35:00.536 +0000 debug: _parse_sso_response(pan_authd_saml.c:1443): SAML SSO response from "https://sts.windows.net/656793e6-d51d-4bb2-b5fa-c66d dd181a40/" has no username attribute
2022-10-18 06:35:00.536 +0000 debug: _parse_sso_response(pan_authd_saml.c:1446): SAML SSO response from "https://sts.windows.net/656793e6-d51d-4bb2-b5fa-c66d dd181a40/": Use saml:Subject NameID "exthassa@pandora.net" as username
1666074900 INFO OpenSAML.Utility.SAMLSign : successful signature verification
2022-10-18 06:35:00.546 +0000 debug: _has_valid_signature(pan_authd_saml_internal.c:1522): Succeed to verify signature against certificate of IdP "https://st s.windows.net/656793e6-d51d-4bb2-b5fa-c66ddd181a40/"
2022-10-18 06:35:00.546 +0000 SAML Assertion: signature is validated against IdP certificate (subject 'crt.SAML Profile for GP.shared') for user 'exthassa@pa ndora.net'
2022-10-18 06:35:00.548 +0000 2022-10-18 06:35:00.548 +0000 debug: pan_auth_saml_resp_process(pan_auth_state_engine.c:5393): debug: pan_auth_cache_user_is_al lowed(pan_auth_cache_allowlist_n_grp.c:569): Check allow list status for exthassa@pandora.net (Authentication_Profile_SAML_GP/vsys1)
This is a single vsys platform, group check for allow list is performed on "vsys1"
2022-10-18 06:35:00.548 +0000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for Authentication_Profile_SAML_GP-vsys1 -mfa
[7m99%[27m[K

Re: Unable to authenticate through Global Protect

UtkarshKumar — Mon, 12 Dec 2022 21:54:28 GMT

Is there any recommendation for this post? We are running into same error for 10.2.3 after firewall upgrade.

Re: Unable to authenticate through Global Protect

Karuppu — Mon, 25 Mar 2024 05:57:59 GMT

Hi Team,

Good Morning !

We are also facing same issue ,do we have any solution for this issue?

Re: Unable to authenticate through Global Protect

RakeshV — Mon, 25 Mar 2024 11:03:01 GMT

Can you check if you are connected to LDAP. Also check the authd.log

Re: Unable to authenticate through Global Protect

Karuppu — Mon, 25 Mar 2024 11:07:26 GMT

Hi Team,

yes ,i have checked the Authd.log which was showing the Authentication server could not find the aftersome time Authentication server connected after that its started working

Re: Unable to authenticate through Global Protect

RakeshV — Mon, 25 Mar 2024 11:09:24 GMT

Can you please share the Authd.logs

Re: Unable to authenticate through Global Protect

RakeshV — Mon, 25 Mar 2024 11:11:38 GMT

I believe this is the log can you please check same in useridd.log
could not find auth server id vector for Authentication Profile

Re: Unable to authenticate through Global Protect

Karuppu — Fri, 29 Mar 2024 18:58:38 GMT

Hi Rakesh ,

Thank you for your suggestions