Tips & Tricks: GlobalProtect IPv6 Troubleshooting (T is for...)

by ‎05-09-2017 02:59 PM - edited ‎05-11-2017 09:54 AM (1,543 Views)

T is for Troubleshooting, which is something that every security engineer has to perform (it seems) on a daily basis. 

T is also for Grand Moff Tarkin. That ruthless leader that controlled most of the Outer Rim. He had no problems destroying an entire planet just to test his Grand Death Star. But I seriously doubt that he had to perform any troubleshooting. 

 

You may remember a couple of weeks ago I wrote a Tips & Tricks about GlobalProtect and IPv6 here:

Tips & Tricks: How to configure GlobalProtect and IPv6

 

But this weeks Tips and Tricks is going to be about troubleshooting GlobalProtect and IPv6. If you read, I did say that I would be coming out with this, so here it is. 

 

There are many things to try to cover when troubleshooting GlobalProtect IPv6, but I will try to cover as many as I can here.

 

Here are some of the items covered in this article:

1. GP Gateway - Current User - WebGUI

2. GP Gateway - Current User - CLI

3. GP Gateway Info (CLI)

4. GP Gateway - Tunnel info (CLI)

5. GP Portal/Gateway: System Log (WebGUI)

6. GP Portal/Gateway: System Log (CLI)

7. GP Client: Details tab

8. GP Client: Routing table

 

 

1. GP Gateway - Current User - WebGUI

To see what current users are connected (This is partially hidden) with GlobalProtect, go into the WebGUI > Network > GlobalProtect > Gateways > Click on the gateway profile in question, then on the right side under Info, click "Remote Users". You can see the private and public IP addresses used to connect to the GP gateway.

Current User screen showing the currently logged in GP users.Current User screen showing the currently logged in GP users.

 

2. GP Gateway - Current User - CLI

To see about current users, use the CLI command > show global-protect-gateway current-user

 

Taking a look at this command in the CLI, we can see many things.  In this example we see that both IPv4 and IPv6 are used and can both be tunneled.  But this tunnel is established with the IPv6 address.

 

> show global-protect-gateway current-user


GlobalProtect Gateway: GP-ExtGW-1 (1 users)

Tunnel Name          : GP-ExtGW-1-N

        Domain-User Name           : :gpuser1

        Computer                   : MARCUS-WIN7-32

        Client                     : Microsoft Windows 7 Professional, 32-bit

        VPN Type                   : Device Level VPN

        Mobile ID                  :

        Client OS                  : Windows

        Private IP                 : 192.168.68.10

        Private IPv6               : 1000:6800::10

        Public IP                  : 10.193.122.54

        Public IPv6 (connected)    : 2000:6800::54

        ESP                        : exist

        SSL                        : none

        Login Time                 : Oct.04 21:39:46

        Logout/Expiration          : Nov.03 20:39:46

        TTL                        : 2591974

        Inactivity TTL             : 10779

 

3. GP Gateway Info (CLI)

In order to gather more information about the GlobalProtect gateway

 

> show global-protect-gateway gateway

GlobalProtect Gateway: GP-ExtGW-1 (1 users)

Tunnel Type          : remote user tunnel

Tunnel Name          : GP-ExtGW-1-N

        VSYS                       : vsys1 (id 1)

        Tunnel ID                  : 1

        Tunnel Interface           : tunnel.1

        Tunnel IPv6 Enabled        : yes

        Encap Interface            : ethernet1/1

        vr-id                      : 0

        Inheritance From           :

        Local Address (IPv4)       : 10.193.122.68

        Local Address (IPv6)       : 2000:6800::68

        SSL Server Port            : 443

        IPSec Encap                : yes

        Tunnel Negotiation         : ssl

        HTTP Redirect              : no

        UDP Port                   : 4501

        Max Users                  : 0

        config name                : Client-Config-1

        User Groups                :     any;

        OS                         :     any;

        IP Pool Ranges             :     192.168.68.10 - 192.168.68.100(0.0.0.0);

        IP Pool index              :     0

        IPv6 Pool Ranges           :     1000:6800::10-1000:6800::100(::);

        IPv6 Pool index            :     0

 

        No Direct Access To Local Network:     no

        Retrieve Framed IP Address :     no

        Auth Server IP Pool Ranges :

        Auth Server IPv6 Pool Ranges:

        Access Routes              :     0.0.0.0/0

        Exclude Access Routes      :     20.20.20.0/24; 2020:2020::0/64;

        DNS Servers                :

                                   :

        WINS Servers               :

                                   :

        SSL Server Cert            : GP-Server-IPv4-IPv6-Untrust

        Client Authentication      :    Auth Name                  : Auth-prof-1

        Auth OS                    : Any

        Auth Profile               : Auth-Profile-local

        Client Cert Profile        :

        Lifetime                   : 2592000 seconds

        Idle Timeout               : 10800 seconds

        Disconnect On Idle         : 10800 seconds

        Encryption                 : aes-128-cbc

        Authentication             : sha1

 

 

4. GP Gateway - Tunnel info (CLI)

In order to see the tunnell information, you can use the command:

 

> show global-protect-gateway flow ?

> name        Show for given GlobalProtect gateway tunnel

> tunnel-id   Show specific tunnel information

  |           Pipe through a command

  <Enter>     Finish input

 

> show global-protect-gateway flow

total tunnels configured:                                     1

filter - type GlobalProtect-Gateway, state any

total GlobalProtect-Gateway tunnel shown:                     1

id    name                  local-i/f         local-ip                      tunnel-i/f

--    ----                  ---------         --------                      ----------

1     GP-ExtGW-1-N          ethernet1/1       10.193.122.68                 tunnel.1

 

Note: Gateways are indexed by the FQDN or the IPv4 address (10.193.122.68).  This does not mean that the tunnel is established on the IPv4 address

 

> show global-protect-gateway flow tunnel-id 1

tunnel  GP-ExtGW-1-N

        id:                1

        type:              GlobalProtect-Gateway

        local ip:          10.193.122.68

        inner interface:   tunnel.1         outer interface:  ethernet1/1

        ssl cert:          GP-Server-IPv4-IPv6-Untrust

        active users:      2

assigned-ip                    remote-ip                      MTU   encapsulation

-----------------------------------------------------------------------------------------------

1000:6800::10                  2000:6800::54                  1400  IPSec SPI 461139F9 (context 19)

192.168.68.10                  2000:6800::54                  1400  IPSec SPI 461139F9 (context 19)

 

Note: See how the Tunnel is established on the IPv6 address (2000:6800::54)of the gateway and the client.

 

Getting even more detailed information about the specific context:

 

> show running tunnel flow context 19

tunnel  GP-ExtGW-1-N

        id:                     1

        en/decap context type:  SSL-VPN

        encap type:             IPSec

        gateway id:             192.168.68.10

        local ip:               2000:6800::68

        peer ip:                2000:6800::54

        inner interface:        tunnel.1

        outer interface:        ethernet1/1

        state:                  active

        session:                13968

        tunnel mtu:             1400

        soft lifetime:          N/A

        hard lifetime:          2591998

        lifetime remain:        2591705 sec

        lifesize remain:        N/A

        idled for:              0 seconds

        idle timeout:           10800 seconds

        monitor:                off

          monitor packets seen: 32

          monitor packets reply:32

        en/decap context:       19

        local spi:              461139F9

        remote spi:             74B78E4A

 

5. GP Portal/Gateway: System Log (WebGUI)

You can get more information about what is happening with the Portal and Gateway by looking into the System Logs inside of the WebGUI > Logs > System.  You can see the Type of globalprotect, indicating GP logs. You can click on the type to filter to only see that type if interested.

System Logs inside of the Monitor tab.System Logs inside of the Monitor tab.

6. GP Portal/Gateway: System Log (CLI)

To see the same information inside of the CLI, and filter the subtype for GlobalProtect, use the CLI command:

 

> show log system subtype equal globalprotect direction equal backward

 

Time                Severity Subtype Object EventID ID Description

===============================================================================

2016/10/04 21:39:47 info     globalp GP-Ext globalp 0  GlobalProtect gateway client configuration generated. User name: gpuser1, Private IP: 192.168.68.10, Private IPv6: 1000:6800::10, Client version: 4.0.0-53, Device name: MARCUS-WIN7-32, Client OS version: Microsoft Windows 7 Professional, 32-bit, VPN type: Device Level VPN.

2016/10/04 21:39:46 info     globalp GP-Ext globalp 0  GlobalProtect gateway user login succeeded. Login from: 2000:6800::54, User name: gpuser1, Client OS version: Microsoft Windows 7 Professional, 32-bit.

2016/10/04 21:39:46 info     globalp GP-Ext globalp 0  GlobalProtect gateway user authentication succeeded. Login from: 2000:6800::54, Source region: , User name: gpuser1, Auth type: profile, Client OS version: Microsoft Windows 7 Professional, 32-bit.

2016/10/04 21:38:31 info     globalp GP-Por globalp 0  GlobalProtect portal client configuration generated. Login from: 2000:6800::54, User name: gpuser1, Config name: Client-config-1.

2016/10/04 21:38:29 info     globalp GP-Por globalp 0  GlobalProtect portal user authentication succeeded. Login from: 2000:6800::54, Source region: , User name: gpuser1, Auth type: profile.

 

 

7. GP Client: Details tab

Inside of the GlobalProtect client, you can get additional information to see if you are using an IPv4 or IPv6 IP address to connect to the Gateway.

GlobalProtect client, Details tab showing connection and gateway info.GlobalProtect client, Details tab showing connection and gateway info.

 

8. GP Client: Routing table

Inside of the GlobalProtect client you can look at the routing table info, with the command "route print" on a PC to see the IPv4 and IPv6 routing info.

 

 

 

gp-ipv6-ts4.png

 

This should be enough to help with troubleshooting what is going on, and where to look when it comes to IPv6 and Global Protect.

 

I even have more information for troubleshooting LSVPN GlobalProtect and IPv6, but I will make that a Part 2 of this troubleshooting guide.. and will publish that next. So please keep an eye open for that one.

 

As always, we welcome all feedback and comments below. 

 

Stay Secure! 

Joe Delio

 

See Also

For even more troubleshooting for GlobalProtect, please view this:

Troubleshooting GlobalProtect

 

Ask Questions Get Answers Join the Live Community