Global protect VPN disconnecting multiple times

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global protect VPN disconnecting multiple times

L3 Networker

Hi,

Im facing issue with connecting to GP VPN, unfortunatly im the one who is having issue.

VPN works fine on other cmputer but having issue with my computer

below are the error msg i got during the VPN disconnect time

 

(T10836) 04/11/17 18:51:28:501 Debug( 980): VPN handle dhcp packet
(T10516) 04/11/17 18:51:46:676 Debug(1189): SSL3 alert write:fatal:bad record mac
(T10516) 04/11/17 18:51:46:676 Error( 840): SSL_read() failed: 1 -1 socket error 0. ntry is 0
(T10516) 04/11/17 18:51:46:676 Error( 811): VPN: Socket Failed to receive! ret = -1
(T10516) 04/11/17 18:51:46:676 Error(1126): ProcPackets, RecvFromSocket() failed
(T10516) 04/11/17 18:51:46:676 Error( 410): ProcPackets() failed, get out of ProcMonitor
(T10836) 04/11/17 18:51:46:676 Info ( 553): ProDrv: VPN disconnect event, get out of ProcDrv
(T10836) 04/11/17 18:51:46:676 Info ( 570): ProcDrv thread dies
(T10516) 04/11/17 18:51:46:676 Info ( 527): ProcDrv quit
(T10516) 04/11/17 18:51:46:676 Info ( 504): Before ProcMonitor quit, disconnect vpn

 

Can anybody know whats the issue and how to overcome from this?

Kindly help me.

 

Kotresha

Kotresha
ACE
1 accepted solution

Accepted Solutions

We have seen an issue with SSL tunnel type in earlier versions of 7.0.

 

Can you check if IPsec is enabled on the Gateway configuration? If so, please check why we are not able to connect via IPsec.

 

Take pcaps, 1

source IP : your public IP

Destination IP : Firewall's public IP

 

and configure it in the reverse direction as well.

 

Or, upgrade the firewall to the latest 7.0.x code (7.0.14) and test.

================================================================
ACE 7.0, 8.0, PCNSE 7

View solution in original post

9 REPLIES 9

L4 Transporter

Hi KotreshaMC,

 

Let us know the following.

 

What is the PAN OS and GP version?

What is the OS that you are running on the machine?

Are users connecting via SSL or IPsec tunnel?

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

If your getting a fatal:bad record mac then you have an issue as the error itself is completely fatal to the VPN communication process. This is caused by the first encrypted message has something wrong with it's crypto and immediately shows up as bad_record_mac. Just by the nature of VPN appliances this message is purposely cryptic and can be anything from failing integrity checks or for anything in the cryptographic layer. 


I would first start to troubleshoot by uninstalling and reinstalling GP, it might help to take off any other VPN application you have installed as well as this could potentially cause issues as well. 

I have reinstaled already but still fac


@BPry wrote:

If your getting a fatal:bad record mac then you have an issue as the error itself is completely fatal to the VPN communication process. This is caused by the first encrypted message has something wrong with it's crypto and immediately shows up as bad_record_mac. Just by the nature of VPN appliances this message is purposely cryptic and can be anything from failing integrity checks or for anything in the cryptographic layer. 


I would first start to troubleshoot by uninstalling and reinstalling GP, it might help to take off any other VPN application you have installed as well as this could potentially cause issues as well. 



ing the same issue.

Kotresha
ACE

PAN OS:7.1.3

GP version:3.1.5

Operating system: Windows 10 Pro

We are connecting over:IPSec tunnel

 

Kotresha
ACE

L3 Networker

Can anybody help with this ?

Kotresha
ACE

Hi Kotresha,

 

Let's start by checking what's different for you, since it's only affecting you.

1) Is there any other portal configuration that you get, other than the rest of the users?

2) Although you mentioned the default method is IPsec, but please verify that you are indeed connecting via IPsec too. Once you are connected to the GP, check under Network->Gateway->Remote users(right side). See what the tunnel type column says.

2) What's the connect method - on-demand? pre-logon? etc.?

3) Have you tried your account from another machine?

4) Have you tried re-installing the client? (I'd suggest trying with 3.1.6)

5) Configure split-tunnelling, if you don't have it already. Send the private subnets traffic to firewall, send the internet traffic through your regular adapter. Run a continuous ping from cmd (ping -t 8.8.8.8). If you see the GP disconnecting, see if there is any ping drops. 

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

1) Is there any other portal configuration that you get, other than the rest of the users?
Ans: No
2) Although you mentioned the default method is IPsec, but please verify that you are indeed connecting via IPsec too. Once you are connected to the GP, check under Network->Gateway->Remote users(right side). See what the tunnel type column says.
Ans: SSL
2) What's the connect method - on-demand? pre-logon? etc.?
Ans: On-demand (with RSA token)
3) Have you tried your account from another machine?
Ans: Yes, it worked fine
4) Have you tried re-installing the client? (I'd suggest trying with 3.1.6)
Ans: Yes i tried but not usefull

5) Configure split-tunnelling, if you don't have it already. Send the private subnets traffic to firewall, send the internet traffic through your regular adapter. Run a continuous ping from cmd (ping -t 8.8.8.8). If you see the GP disconnecting, see if there is any ping drops.

Ans: We have configured split-tunnel.

 

 

Kotresha
ACE

We have seen an issue with SSL tunnel type in earlier versions of 7.0.

 

Can you check if IPsec is enabled on the Gateway configuration? If so, please check why we are not able to connect via IPsec.

 

Take pcaps, 1

source IP : your public IP

Destination IP : Firewall's public IP

 

and configure it in the reverse direction as well.

 

Or, upgrade the firewall to the latest 7.0.x code (7.0.14) and test.

================================================================
ACE 7.0, 8.0, PCNSE 7

Thanks for all your support, after upgrading the firewall to 7.1.9 issue resolved.

Kotresha
ACE
  • 1 accepted solution
  • 39033 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!