Unable to authenticate through Global Protect

Reply
L2 Linker

Unable to authenticate through Global Protect

I m currently unable to authenticate through Global Protect. I’ve looked at the config which looks correct and I can’t see anything obvious in the logs. Are you able to assist? I’ve paste the logs below.

 

 

 

2019-09-16 14:03:19.305 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1068): non-admin user thru Global Protect "sagierhartla@wyongccs.nsw.edu.au" ; auth  profile "GP-VPN-AUTH" ; vsys "vsys1"

2019-09-16 14:03:19.305 +1000 debug: _get_authseq_profile(pan_auth_util.c:860): Auth profile/vsys (GP-VPN-AUTH/vsys1) is NOT auth sequence

2019-09-16 14:03:19.305 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP-VPN-AUTH-vsys1-mfa

2019-09-16 14:03:19.305 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1024): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:19.305 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1035): MFA configured, but bypassed for GP user ''. (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:19.305 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2560): Keep original username, i.e., whatever end-user typed, "sagierhartla@wyongccs.nsw.edu.au" in request->username

2019-09-16 14:03:19.305 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:579): This is a single vsys platform, group check for allow list is performed on "vsys1"

2019-09-16 14:03:19.306 +1000 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "sagierhartla@wyongccs.nsw.edu.au" with <profile: "GP-VPN-AUTH", vsys: "vsys1">

2019-09-16 14:03:19.306 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP-VPN-AUTH-vsys1

2019-09-16 14:03:19.306 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:655): but auth server id vector is empty for GP-VPN-AUTH-vsys1

2019-09-16 14:03:19.306 +1000 Error:  _begin_auth(pan_auth_state_engine.c:1915): sending request for user "sagierhartla@wyongccs.nsw.edu.au": no remote server in auth profile "GP-VPN-AUTH" is available (could be FQDN resolution failure)

2019-09-16 14:03:19.306 +1000 failed authentication for user 'sagierhartla@wyongccs.nsw.edu.au'.   auth profile 'GP-VPN-AUTH', vsys 'vsys1', From: 220.233.83.161.

2019-09-16 14:03:19.306 +1000 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'sagierhartla@wyongccs.nsw.edu.au' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6730648317623110501)

2019-09-16 14:03:35.492 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:35.492 +1000 debug: pan_authd_handle_is_kerberized_req(pan_authd_kerberos_sso.c:1050): return is_kerberized = false for <profile: "GP-VPN-AUTH", vsys: "vsys1", remotehost "", krb_sso_hostname "vpn.wyongccs.nsw.edu.au">

2019-09-16 14:03:35.560 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:997): profiledomain triggered via sysd

2019-09-16 14:03:35.560 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1017): get domain for vsys1/GP-VPN-AUTH

2019-09-16 14:03:35.560 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:35.560 +1000 debug: _get_profile_domain(pan_auth_sysd.c:980): auth prof "GP-VPN-AUTH" on vsys "vsys1" has domain: "wyongccs"

2019-09-16 14:03:35.564 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3344): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 99962, body length 2384

2019-09-16 14:03:35.564 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "GP-VPN-AUTH", vsys: "vsys1", policy: "", username "sagierhartla"> ; timeout setting: 25 secs ; authd id: 6730648317623110504

2019-09-16 14:03:35.564 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1068): non-admin user thru Global Protect "sagierhartla" ; auth  profile "GP-VPN-AUTH" ; vsys "vsys1"

2019-09-16 14:03:35.564 +1000 debug: _get_authseq_profile(pan_auth_util.c:860): Auth profile/vsys (GP-VPN-AUTH/vsys1) is NOT auth sequence

2019-09-16 14:03:35.564 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP-VPN-AUTH-vsys1-mfa

2019-09-16 14:03:35.564 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1024): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:35.564 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1035): MFA configured, but bypassed for GP user ''. (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:35.564 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2560): Keep original username, i.e., whatever end-user typed, "sagierhartla" in request->username

2019-09-16 14:03:35.564 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:579): This is a single vsys platform, group check for allow list is performed on "vsys1"

2019-09-16 14:03:35.565 +1000 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "sagierhartla" with <profile: "GP-VPN-AUTH", vsys: "vsys1">

2019-09-16 14:03:35.565 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP-VPN-AUTH-vsys1

2019-09-16 14:03:35.565 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:655): but auth server id vector is empty for GP-VPN-AUTH-vsys1

2019-09-16 14:03:35.565 +1000 Error:  _begin_auth(pan_auth_state_engine.c:1915): sending request for user "sagierhartla": no remote server in auth profile "GP-VPN-AUTH" is available (could be FQDN resolution failure)

2019-09-16 14:03:35.565 +1000 failed authentication for user 'sagierhartla'.   auth profile 'GP-VPN-AUTH', vsys 'vsys1', From: 220.233.83.161.

2019-09-16 14:03:35.565 +1000 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'sagierhartla' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6730648317623110504)

2019-09-16 14:03:39.165 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:997): profiledomain triggered via sysd

2019-09-16 14:03:39.166 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1017): get domain for vsys1/GP-VPN-AUTH

2019-09-16 14:03:39.166 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:39.166 +1000 debug: _get_profile_domain(pan_auth_sysd.c:980): auth prof "GP-VPN-AUTH" on vsys "vsys1" has domain: "wyongccs"

2019-09-16 14:03:39.169 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3344): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 99964, body length 2384

2019-09-16 14:03:39.169 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "GP-VPN-AUTH", vsys: "vsys1", policy: "", username "spadmin"> ; timeout setting: 25 secs ; authd id: 6730648317623110506

 

L2 Linker

Re: Unable to authenticate through Global Protect

It seems that cannot find a server in auth GP-VPN-AUTH so go there to see what you have stated and then go to server profile to see if the profile has any IP .

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!