11-04-2014 09:47 AM
Ever since our users started upgrading the iPads to iOS 8, we have been noticing that the Global Protect VPN connection gets disconnected rather quickly.
From my own experience, it looks like I get disconnected after a few minutes(judging by the Traffic Logs) but the VPN icon still shows on the iPad.
This is causing trouble for our users because they think they're connected to VPN but in reality they are not. It is also causing them to have to re-authenticate more frequently.
11-04-2014 10:00 AM
Hello jambulo ,
PAN do have support for iOS 8 in the latest GP client release. You may update logs here for a deeper look.
How to Export Logs from GlobalProtect App on iOS or Android
Troubleshooting GlobalProtect, PAN-OS 4.1
Thanks
11-04-2014 11:20 AM
I opened a case a little while ago, just waiting for a response. I was just curious to see if anyone else is experiencing the same issue. I also uploaded logs from the client and firewall.
I am running iOS 8.1 and Global Protect 2.0.2.
Right before I think the GP client disconnects, this is what I see in the PanGPS log...
Debug(2569): Msg length is 2715. Sending POST /ssl-vpn/hipreport.esp HTTP/1.1
Info (2958): sent HIP report to X.X.X.X
Debug( 561): Network status changed: 10003
Debug( 565): Network is reachable, set net change event
Debug(2699): NetworkConnectionMonitorThread: route change detected. Wait for 3 seconds.
Debug(2986): Response status of HIP report is success, gateway X.X.X.X
Debug(2988): Hip report returns success.
Info (2802): Got hip notification from gateway X.X.X.X
Debug(2809): Hip notification is empty in the HIP report check response from gateway X.X.X.X
Debug(2817): SSL is disconnected. Returns TRUE.
Debug( 860): SendHipReportToGateway X.X.X.X returns TRUE.
Debug( 472): Failed to send response message to app
Debug( 699): Send response to client with result 1
Debug(2469): HipReportThread: wait for HIP report ready event.
Debug(2736): NetworkConnectionMonitorThread: m_state = 0, m_bOnDemand=1, m_bAgentEnabled=1, m_bJustResumed is 0, m_bHibernate is 0, m_bAgentEnabled is 1, m_bDisconnect is 0, IsConnected() is 1, IsVPNInRetry() is 0.
Debug( 119): interface en0 ip X.X.X.X/X.X.X.X
Debug( 537): Wifi interface is ready
Debug( 542): Network rechability flag is 0x10003
Debug( 547): Network type is Wifi
Debug( 797): Network type changed from 2 to 2
Debug( 119): interface en0 ip X.X.X.X/X.X.X.X
Debug(2742): NetworkConnectionMonitorThread: Detected route change, but skip network discovery.
...nothing shows in the System Logs that my client was or did disconnect.
11-04-2014 11:29 AM
Hi Jambulo,
Can you confirm the common name on your certificates and your configuration on your external gateway :
If your certificate has a comman name of "mycompany.com", could you please confirm, if your gateways config has "mycompany.com" as well instead of IP of interface. If not, then could you please change, commit and test it again.
If that does not help then can you try upgrading the GP Clients on iOS to 2.1.0 and see if that makes any difference. Thank you.
11-07-2014 12:55 PM
My "External Gateway" (under Global Protect > Portals > Client Config) is set to the IP address of the Gateway. The Common Name of the certificate uses the FQDN.
I didn't think this mattered, since the Client Config here does not get pushed to the iOS Global Protect Client.
I'm currently on iOS Global Protect client 2.0.2(verified by checking in the "About" tab of the client). I did not even know there was a 2.1.0. Looking at my iPad now in the App Store, it does not say there is an update for Global Protect. In the App Store, it also displays that the version in the App Store is 2.1.0. It just does not let me upgrade to it.
EDIT: I just uninstalled/reinstalled Global Protect and now I am on 2.1.0. It looks like the App Store is not correctly updating Global Protect(it thinks it's up to date but it really is not).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
