Global Protect not connecting to gateway

Reply
Highlighted
L3 Networker

Global Protect not connecting to gateway

I have a Pa220 and its using DHCP for untrust interface. I have followed about 40 documents and knowledgebases and still have no success with connecting my iphone to the palo via global protect. I am using self generated cert. I have collected the logs from the GP client but, I do not know what I am looking for to see what the issue is. 

 

Tags (3)
L4 Transporter

Re: Global Protect not connecting to gateway

This is first time i am seeing GP with iphone.

Is this prod or test env?

 

What error message u get on the GP?

What is the address of the Portal?

 

 

 

L2 Linker

Re: Global Protect not connecting to gateway

Hello @Stevenjwilliams83 , can you confirm that do you have valid GlobalProtect gateway license?

L3 Networker

Re: Global Protect not connecting to gateway

I have global protect gateway and portal licensing. I am testing at my home on my 220, but this going to be a request at my place of employment for sure when we roll it out. 

 

The logs are showing some errors but not sure what to look for.

 

P7694-T11531 Sep 29 17:08:36:652833 Error( 522): Server trust evalutaion failed: 5
connection: 0x10440aff0, type: 1, host: [globalprotect.thenetworktransit.com:443], original host: [globalprotect.thenetworktransit.com], alwaysTrust: 0
session: <__NSURLSessionLocal: 0x104711e40> -[GPURLConnection session] <NSOperationQueue: 0x1047119a0>{name = 'NSOperationQueue 0x1047119a0'}
identity: (null)
scepIdentity: (null)
connectionGroup: <OS_dispatch_group: 0x10440b120>
distinguishedNames: (null)
request: <NSMutableURLRequest: 0x104423e50> { URL: https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp }
response: (null)
responseError: (null)
isHandshakeStarted: 1
trustedServerCertificates: (null)
priorityIdentities: (null)
serverCertificatesChain: (
"<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>",
"<cert(0x10482ce00) s: IntermediateCert i: RootCert>",
"<cert(0x10482d400) s: RootCert i: RootCert>"
)
trustExceptionSHA256: ad:ff:f0:47:92:39:d2:db:15:29:21:ad:54:a3:bf:6c:d9:f4:48:01:d0:fe:d4:36:98:12:65:b1:20:ad:b9:ca
error: Error Domain=GPURLConnectionErrorDomain Code=2 "(null)" UserInfo={ServerCert=<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>, trustChain=(
{
Certificate = "<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>";
Property = {
type = error;
value = "Root certificate is not trusted.";
};
},
{
Certificate = "<cert(0x10500a400) s: IntermediateCert i: RootCert>";
Property = "<null>";
},
{
Certificate = "<cert(0x10500aa00) s: RootCert i: RootCert>";
Property = "<null>";
}
)}
connectTimeout: 5
receiveTimeout: 30
responseData(0): (null)

P7694-T12803 Sep 29 17:08:36:655791 Error( 391): Connection error Error Domain=NSURLErrorDomain Code=-999 "cancelled" UserInfo={NSErrorFailingURLStringKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp, NSLocalizedDescription=cancelled, NSErrorFailingURLKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp}
response:(null)
connection: 0x10440aff0, type: 1, host: [globalprotect.thenetworktransit.com:443], original host: [globalprotect.thenetworktransit.com], alwaysTrust: 0
session: <__NSURLSessionLocal: 0x104711e40> -[GPURLConnection session] <NSOperationQueue: 0x1047119a0>{name = 'NSOperationQueue 0x1047119a0'}
identity: (null)
scepIdentity: (null)
connectionGroup: <OS_dispatch_group: 0x10440b120>
distinguishedNames: (null)
request: <NSMutableURLRequest: 0x104423e50> { URL: https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp }
response: (null)
responseError: Error Domain=NSURLErrorDomain Code=-999 "cancelled" UserInfo={NSErrorFailingURLStringKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp, NSLocalizedDescription=cancelled, NSErrorFailingURLKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp}
isHandshakeStarted: 1
trustedServerCertificates: (null)
priorityIdentities: (null)
serverCertificatesChain: (
"<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>",
"<cert(0x10482ce00) s: IntermediateCert i: RootCert>",
"<cert(0x10482d400) s: RootCert i: RootCert>"
)
trustExceptionSHA256: ad:ff:f0:47:92:39:d2:db:15:29:21:ad:54:a3:bf:6c:d9:f4:48:01:d0:fe:d4:36:98:12:65:b1:20:ad:b9:ca
error: Error Domain=GPURLConnectionErrorDomain Code=2 "(null)" UserInfo={ServerCert=<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>, trustChain=(
{

L0 Member

Re: Global Protect not connecting to gateway

How did you copy the Portal and Device or User certificates to your IOS devices?

You need to create Certificate Profiles with a MDM or Apple IOS Device Manager (available for MacOS).

 

 

 

L3 Networker

Re: Global Protect not connecting to gateway

HA!! That is the missing piece. For some reason I was thinking i didnt need to do that cause normally for a prod use I would get trusted 3rd party and wouldnt need to. 

 

L3 Networker

Re: Global Protect not connecting to gateway

I cannot seem to find device manager for mac...have a link for it?

L0 Member

Re: Global Protect not connecting to gateway

Sorry, it's called Apple Configurator 2:

 

https://apps.apple.com/de/app/apple-configurator-2/id1037126344?mt=12

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!