Unable to authenticate through Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unable to authenticate through Global Protect

L3 Networker

I m currently unable to authenticate through Global Protect. I’ve looked at the config which looks correct and I can’t see anything obvious in the logs. Are you able to assist? I’ve paste the logs below.

 

 

 

2019-09-16 14:03:19.305 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1068): non-admin user thru Global Protect "sagierhartla@wyongccs.nsw.edu.au" ; auth  profile "GP-VPN-AUTH" ; vsys "vsys1"

2019-09-16 14:03:19.305 +1000 debug: _get_authseq_profile(pan_auth_util.c:860): Auth profile/vsys (GP-VPN-AUTH/vsys1) is NOT auth sequence

2019-09-16 14:03:19.305 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP-VPN-AUTH-vsys1-mfa

2019-09-16 14:03:19.305 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1024): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:19.305 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1035): MFA configured, but bypassed for GP user ''. (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:19.305 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2560): Keep original username, i.e., whatever end-user typed, "sagierhartla@wyongccs.nsw.edu.au" in request->username

2019-09-16 14:03:19.305 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:579): This is a single vsys platform, group check for allow list is performed on "vsys1"

2019-09-16 14:03:19.306 +1000 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "sagierhartla@wyongccs.nsw.edu.au" with <profile: "GP-VPN-AUTH", vsys: "vsys1">

2019-09-16 14:03:19.306 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP-VPN-AUTH-vsys1

2019-09-16 14:03:19.306 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:655): but auth server id vector is empty for GP-VPN-AUTH-vsys1

2019-09-16 14:03:19.306 +1000 Error:  _begin_auth(pan_auth_state_engine.c:1915): sending request for user "sagierhartla@wyongccs.nsw.edu.au": no remote server in auth profile "GP-VPN-AUTH" is available (could be FQDN resolution failure)

2019-09-16 14:03:19.306 +1000 failed authentication for user 'sagierhartla@wyongccs.nsw.edu.au'.   auth profile 'GP-VPN-AUTH', vsys 'vsys1', From: 220.233.83.161.

2019-09-16 14:03:19.306 +1000 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'sagierhartla@wyongccs.nsw.edu.au' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6730648317623110501)

2019-09-16 14:03:35.492 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:35.492 +1000 debug: pan_authd_handle_is_kerberized_req(pan_authd_kerberos_sso.c:1050): return is_kerberized = false for <profile: "GP-VPN-AUTH", vsys: "vsys1", remotehost "", krb_sso_hostname "vpn.wyongccs.nsw.edu.au">

2019-09-16 14:03:35.560 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:997): profiledomain triggered via sysd

2019-09-16 14:03:35.560 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1017): get domain for vsys1/GP-VPN-AUTH

2019-09-16 14:03:35.560 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:35.560 +1000 debug: _get_profile_domain(pan_auth_sysd.c:980): auth prof "GP-VPN-AUTH" on vsys "vsys1" has domain: "wyongccs"

2019-09-16 14:03:35.564 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3344): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 99962, body length 2384

2019-09-16 14:03:35.564 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "GP-VPN-AUTH", vsys: "vsys1", policy: "", username "sagierhartla"> ; timeout setting: 25 secs ; authd id: 6730648317623110504

2019-09-16 14:03:35.564 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1068): non-admin user thru Global Protect "sagierhartla" ; auth  profile "GP-VPN-AUTH" ; vsys "vsys1"

2019-09-16 14:03:35.564 +1000 debug: _get_authseq_profile(pan_auth_util.c:860): Auth profile/vsys (GP-VPN-AUTH/vsys1) is NOT auth sequence

2019-09-16 14:03:35.564 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP-VPN-AUTH-vsys1-mfa

2019-09-16 14:03:35.564 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1024): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:35.564 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1035): MFA configured, but bypassed for GP user ''. (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:35.564 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2560): Keep original username, i.e., whatever end-user typed, "sagierhartla" in request->username

2019-09-16 14:03:35.564 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:579): This is a single vsys platform, group check for allow list is performed on "vsys1"

2019-09-16 14:03:35.565 +1000 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "sagierhartla" with <profile: "GP-VPN-AUTH", vsys: "vsys1">

2019-09-16 14:03:35.565 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP-VPN-AUTH-vsys1

2019-09-16 14:03:35.565 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:655): but auth server id vector is empty for GP-VPN-AUTH-vsys1

2019-09-16 14:03:35.565 +1000 Error:  _begin_auth(pan_auth_state_engine.c:1915): sending request for user "sagierhartla": no remote server in auth profile "GP-VPN-AUTH" is available (could be FQDN resolution failure)

2019-09-16 14:03:35.565 +1000 failed authentication for user 'sagierhartla'.   auth profile 'GP-VPN-AUTH', vsys 'vsys1', From: 220.233.83.161.

2019-09-16 14:03:35.565 +1000 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'sagierhartla' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6730648317623110504)

2019-09-16 14:03:39.165 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:997): profiledomain triggered via sysd

2019-09-16 14:03:39.166 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1017): get domain for vsys1/GP-VPN-AUTH

2019-09-16 14:03:39.166 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:39.166 +1000 debug: _get_profile_domain(pan_auth_sysd.c:980): auth prof "GP-VPN-AUTH" on vsys "vsys1" has domain: "wyongccs"

2019-09-16 14:03:39.169 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3344): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 99964, body length 2384

2019-09-16 14:03:39.169 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "GP-VPN-AUTH", vsys: "vsys1", policy: "", username "spadmin"> ; timeout setting: 25 secs ; authd id: 6730648317623110506

 

9 REPLIES 9

L3 Networker

It seems that cannot find a server in auth GP-VPN-AUTH so go there to see what you have stated and then go to server profile to see if the profile has any IP .

Just wanted to let everyone know that if they are having any GlobalProtect issues, and need to troubleshoot the issue, our Very own @kiwi has written a great blog all about troubleshooting GlobalProtect.

Be sure to check it out here: 
https://live.paloaltonetworks.com/t5/blogs/dotw-globalprotect-troubleshooting-tips/ba-p/383911

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hi Team,

 

We are also facing the same issue when we connect GP VPN getting error " the network connection is unreachable or the gateway is unresponsive"

 

Also we could see below logs from authd.logs 

 

2022-10-18 06:35:00.535 +0000 debug: _get_payload(pan_authd_saml_internal.c:1064): b64 decoded payload length=5318.
2022-10-18 06:35:00.536 +0000 Received SAML Assertion from 'https://sts.windows.net/656793e6-d51d-4bb2-b5fa-c66ddd181a40/' from client '103.74.16.247'
2022-10-18 06:35:00.536 +0000 debug: _parse_sso_response(pan_authd_saml.c:1443): SAML SSO response from "https://sts.windows.net/656793e6-d51d-4bb2-b5fa-c66d dd181a40/" has no username attribute
2022-10-18 06:35:00.536 +0000 debug: _parse_sso_response(pan_authd_saml.c:1446): SAML SSO response from "https://sts.windows.net/656793e6-d51d-4bb2-b5fa-c66d dd181a40/": Use saml:Subject NameID "exthassa@pandora.net" as username
1666074900 INFO OpenSAML.Utility.SAMLSign : successful signature verification
2022-10-18 06:35:00.546 +0000 debug: _has_valid_signature(pan_authd_saml_internal.c:1522): Succeed to verify signature against certificate of IdP "https://st s.windows.net/656793e6-d51d-4bb2-b5fa-c66ddd181a40/"
2022-10-18 06:35:00.546 +0000 SAML Assertion: signature is validated against IdP certificate (subject 'crt.SAML Profile for GP.shared') for user 'exthassa@pa ndora.net'
2022-10-18 06:35:00.548 +0000 2022-10-18 06:35:00.548 +0000 debug: pan_auth_saml_resp_process(pan_auth_state_engine.c:5393): debug: pan_auth_cache_user_is_al lowed(pan_auth_cache_allowlist_n_grp.c:569): Check allow list status for exthassa@pandora.net (Authentication_Profile_SAML_GP/vsys1)
This is a single vsys platform, group check for allow list is performed on "vsys1"
2022-10-18 06:35:00.548 +0000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for Authentication_Profile_SAML_GP-vsys1 -mfa
99%

L2 Linker

Is there any recommendation for this post? We are running into same error for 10.2.3 after firewall upgrade. 

L2 Linker

Hi Team,

 

Good Morning !

We are also facing same issue ,do we have any solution for this issue?

L0 Member

Can you check if you are connected to LDAP. Also check the authd.log

 

L2 Linker

Hi Team,

 

yes ,i have checked the Authd.log which was showing the Authentication server could not find the aftersome time Authentication server connected after that its started working 

L0 Member

Can you please share the Authd.logs 

 

L0 Member

I believe this is the log can you please check same in useridd.log 
could not find auth server id vector for Authentication Profile

 

  • 7414 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!