Ok group I have a nice and simple question about trying to get GP up and running. Everything (I think) looks right, and configured, but I am not able to quite get my client connected to the Gateway
(T10944) 03/12/13 11:56:27:075 Debug( 742): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer exists. File is tca.cer
(T10944) 03/12/13 11:56:27:075 Debug( 340): set trusted root ca file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T10944) 03/12/13 11:56:27:075 Debug(3645): connect ssl.
(T10944) 03/12/13 11:56:48:075 Debug( 179): Failed to connect to 184.108.40.206 on 443 (error: 10051) <======
(T10944) 03/12/13 11:56:48:075 Error( 296): Server Error: Connect to 220.127.116.11:443 Failed
(T10944) 03/12/13 11:56:48:075 Error( 135): do_tcp_connect()
(T10944) 03/12/13 11:56:48:075 Error(3663): ConnectSSL: Failed to connect to '18.104.22.168:443'. Disconnect ssl.
(T10944) 03/12/13 11:56:48:075 Debug(3710): returns 0.
Ok... So what does error 10051 mean? And how do I troubleshoot it further? I have a single FW, using 2 Internet facing interfaces (one I used for Portal, other is for GW)
I have authenticated to the Portal and downloaded my agent software. I have my configuration sent to "On Demand" and I when I attempt to connect these are the messages I have.
I have confirmed that I created a self-signed CA on my FW, and signed 3 certs (portal, GW, and agent)... still nothing....
Thoughts... HELP... Anything??? All will be appreciated.
PA TAC.... if you have help, this would be most appreciated....
I think I am missing something very small. (maybe. :smileysilly:)
Following steps would help you in identifying the issue.
1) Confirm that the Common name on the certificate and the portal address address you are trying to reach from the client are the same
2) Confirm the gateway certificate common name and the gateway ip/fqdn in the client config under the portal config match.
3) Create an untrust to untrust zone allow rule, this will help you capture the sessions.
Run show session all filter destination-port 443 destination <ip>.
What does the 'Monitor' tab on the firewall say about this traffic?
Make sure you check "Log at session start" and check "Log at session end", just for the sake of troubleshooting
1) Common Name on Portal is the IP, and I can https:// into the Portal, put in username/password so I am passing this portion. 2) I have *just* changed my config so that my Portal AND my gateway are configured using only 1 outside IP (remember, my original plan was Portal and GW on 2 separate IP). I have my authentication in Portal set to local (eventually will do LDAP, and use certs, etc) but I am still troubleshooting. So I can get to my Portal, and authenticate, but I cannot get my VPN tunnel up, as I get the error. As for my rules, I do have a Internet (with my specific IP) to Internet Zone ALLOWED at the top of my rulebase, with Log at Start enabled. I can see that my rule hitting for the Portal, and I see my rule hitting for attempting to communicate with my GW, but I get an Incomplete (so my handshake or similar is not working out)
Your original post says you have two interfaces facing the internet. Which one is the the default gateway to internet ?
Do you have any destination NAT configured on the firewall ?
Howdy again. I have my GP-GW interface (1/1) that is public facing, with static route to my ISP as my default route (or route of last resort). My GP-Portal interface (1/4) is hosting the portal. I wondered if some sort of asymmetric routing was going on, so I finally configured my GP-GW to be both Portal AND the Gateway. I am using local authentication. In troubleshooting this, it seems that trying to connect to my Portal, when configured on 1/4 works fine. If I update my configuration (and all settings) to use my 1/1 interface as my Portal, I cannot even connect to my Portal. So I am thinking it is something related to my 1/1 interface, which otherwise works 99% (1% is GP, which is not working. :P) If anyone ever wants to help directly troubleshoot this with me, i.e. remote connection to my desktop, etc., I would be more than happy to oblige. Like I said, if knew what error 10051 meant, it would better explain how/why this is going on.
Looks like it is a asymmetric routing issue. To get more clarity can you run the following commands in cli and attach the outputs.
show global-protect-gateway gateway name <g/w name>
show routing route
show interface all
show running pbf-policy
It does not look like the error is related to certs imo... It seems like the GP agent cannot connect to the GP gateway IP on E1/1 after authenticating to the portal on E1/4 - there is no asymmetrical routing issue here. Seems like a sensible config since the portal only pushes down settings to the GP client and then "quits". The GP agent then decides which gateway to connect to based on the settings pushed down from the portal. Thus there cannot be a asymmetrical route issue since the portal and gateway are not linked in anyway. As you mentioned, changing the portal from E1/4 to E1/1 causes it to fail as well. How about trying to setup the GP portal and gateway on E1/4 as a test?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!