Global Protect not connecting to gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect not connecting to gateway

L3 Networker

I have a Pa220 and its using DHCP for untrust interface. I have followed about 40 documents and knowledgebases and still have no success with connecting my iphone to the palo via global protect. I am using self generated cert. I have collected the logs from the GP client but, I do not know what I am looking for to see what the issue is. 

 

7 REPLIES 7

Cyber Elite
Cyber Elite

This is first time i am seeing GP with iphone.

Is this prod or test env?

 

What error message u get on the GP?

What is the address of the Portal?

 

 

 

MP

Help the community: Like helpful comments and mark solutions.

L3 Networker

Hello @Stevenjwilliams83 , can you confirm that do you have valid GlobalProtect gateway license?

I have global protect gateway and portal licensing. I am testing at my home on my 220, but this going to be a request at my place of employment for sure when we roll it out. 

 

The logs are showing some errors but not sure what to look for.

 

P7694-T11531 Sep 29 17:08:36:652833 Error( 522): Server trust evalutaion failed: 5
connection: 0x10440aff0, type: 1, host: [globalprotect.thenetworktransit.com:443], original host: [globalprotect.thenetworktransit.com], alwaysTrust: 0
session: <__NSURLSessionLocal: 0x104711e40> -[GPURLConnection session] <NSOperationQueue: 0x1047119a0>{name = 'NSOperationQueue 0x1047119a0'}
identity: (null)
scepIdentity: (null)
connectionGroup: <OS_dispatch_group: 0x10440b120>
distinguishedNames: (null)
request: <NSMutableURLRequest: 0x104423e50> { URL: https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp }
response: (null)
responseError: (null)
isHandshakeStarted: 1
trustedServerCertificates: (null)
priorityIdentities: (null)
serverCertificatesChain: (
"<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>",
"<cert(0x10482ce00) s: IntermediateCert i: RootCert>",
"<cert(0x10482d400) s: RootCert i: RootCert>"
)
trustExceptionSHA256: ad:ff:f0:47:92:39:d2:db:15:29:21:ad:54:a3:bf:6c:d9:f4:48:01:d0:fe:d4:36:98:12:65:b1:20:ad:b9:ca
error: Error Domain=GPURLConnectionErrorDomain Code=2 "(null)" UserInfo={ServerCert=<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>, trustChain=(
{
Certificate = "<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>";
Property = {
type = error;
value = "Root certificate is not trusted.";
};
},
{
Certificate = "<cert(0x10500a400) s: IntermediateCert i: RootCert>";
Property = "<null>";
},
{
Certificate = "<cert(0x10500aa00) s: RootCert i: RootCert>";
Property = "<null>";
}
)}
connectTimeout: 5
receiveTimeout: 30
responseData(0): (null)

P7694-T12803 Sep 29 17:08:36:655791 Error( 391): Connection error Error Domain=NSURLErrorDomain Code=-999 "cancelled" UserInfo={NSErrorFailingURLStringKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp, NSLocalizedDescription=cancelled, NSErrorFailingURLKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp}
response:(null)
connection: 0x10440aff0, type: 1, host: [globalprotect.thenetworktransit.com:443], original host: [globalprotect.thenetworktransit.com], alwaysTrust: 0
session: <__NSURLSessionLocal: 0x104711e40> -[GPURLConnection session] <NSOperationQueue: 0x1047119a0>{name = 'NSOperationQueue 0x1047119a0'}
identity: (null)
scepIdentity: (null)
connectionGroup: <OS_dispatch_group: 0x10440b120>
distinguishedNames: (null)
request: <NSMutableURLRequest: 0x104423e50> { URL: https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp }
response: (null)
responseError: Error Domain=NSURLErrorDomain Code=-999 "cancelled" UserInfo={NSErrorFailingURLStringKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp, NSLocalizedDescription=cancelled, NSErrorFailingURLKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp}
isHandshakeStarted: 1
trustedServerCertificates: (null)
priorityIdentities: (null)
serverCertificatesChain: (
"<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>",
"<cert(0x10482ce00) s: IntermediateCert i: RootCert>",
"<cert(0x10482d400) s: RootCert i: RootCert>"
)
trustExceptionSHA256: ad:ff:f0:47:92:39:d2:db:15:29:21:ad:54:a3:bf:6c:d9:f4:48:01:d0:fe:d4:36:98:12:65:b1:20:ad:b9:ca
error: Error Domain=GPURLConnectionErrorDomain Code=2 "(null)" UserInfo={ServerCert=<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>, trustChain=(
{

How did you copy the Portal and Device or User certificates to your IOS devices?

You need to create Certificate Profiles with a MDM or Apple IOS Device Manager (available for MacOS).

 

 

 

HA!! That is the missing piece. For some reason I was thinking i didnt need to do that cause normally for a prod use I would get trusted 3rd party and wouldnt need to. 

 

I cannot seem to find device manager for mac...have a link for it?

Sorry, it's called Apple Configurator 2:

 

https://apps.apple.com/de/app/apple-configurator-2/id1037126344?mt=12

 

 

  • 7100 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!