Automation of GlobalProtect installation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Automation of GlobalProtect installation

L0 Member

Hi all,

 

I am trying to automate the deployment of GlobalProtect software in laptops with Ubuntu installed and I have faced an issue not easy to explain. The operating system is being deployed automatically in chroot mode, and one of the last steps involves installing the package of GlobaProtect as root ( dpkg -i GlobalProtect-latest.deb)

 

After the laptop is restarted and a user logins, if the user tries to run the globalprotect command, it always receive the message:

 

:~$ globalprotect
Unable to establish a new GlobalProtect connection as a GlobalProtect connection is already established from this Linux system by the same user or another user.

 

Does not matter the attempts to reinstall the software later (With sudo or directly as root) the software does not allow any option and only shows above message.

 

I can confirm the software runs as root originally, or as under the user name after reinstallation:

 

Preparing to unpack .../GlobalProtect_deb-5.2.6.0-18.deb ...
gp service is running and we need to stop it...
Disable service...
PanGPA is running and we need to stop it...
stop gpa for sudo user username
Disable gpa user service...
Start upgrading gp...
Unpacking globalprotect (5.2.6-18) over (5.2.6-18) ...
systemd is detected.
Setting up globalprotect (5.2.6-18) ...
Enable gp service...
Starting gp service...
enable ping
net.ipv4.ping_group_range = 0 0
Starting gpa...
start GPA for sudo user username
Processing triggers for man-db (2.9.1-1) ...

 

~$ ps -ef | grep global
root 1559 1 0 15:16 ? 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPS
root 2522 2510 0 15:35 ? 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPA start
username 2663 2654 0 15:35 ? 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPA start

 

 

Any clue why the messages keeps suggesting that there is any connection?

 

 

2 REPLIES 2

Community Team Member

Hi @Villabrille 

 

What is your connection method configured as ? Is your connection method set to 'on-demand' ?

 

This exact issue has been discussed several times ... any tips on these pages ?:

https://live.paloaltonetworks.com/t5/general-topics/unable-to-disconnect-global-protect-in-linux-mac...

https://live.paloaltonetworks.com/t5/general-topics/connection-issues-with-globalprotect-vpn/td-p/23...

 

Are there any GP logs from the time the issue occurs you can look at ?

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi Kiwi,

thanks for you reply. Those links have been reviewed, but the assumption that the issue is on the server side or that it gets solved with disconnect or disable on the client are pointing to the incorrect source. There is no setup performed or any account configured, so how can the application knows anything about the server as it is suggested on the links?

 

For those interested, you can try the solution suggested below (it worked in my case at all times that I tested it)....

 

The issue is clearly not at the server side, since we cannot run any   globalprotect disable   or   globalprotect disconnect     the application is not accepting any modifier (just outputting the error)

 

Let me add that at that point I just installed as root (without any account logged in) and stated that I still did not configure either any account or any server where to connect, it's clearly not a matter of missconfiguration on the server side.

 

Let me share the experiences here. You can easily reproduce the error by running the installation of the package as root (only) or in chroot.

 

 

  • The installation of the package is performed by root in chroot mode, or just with the server on but without any other account logged in the GDM or any X-Window (no graphical login). So the processes are started by root only (both PanGPS and PanGPA)
  • If you login by SSH (with a non-root account) and you run the installation through sudo, it still fails and shows the same message (now the processes are started PanGPS as root and PanGPA as the user logged through SSH). But still same annoying message.

Solution:

 

run the following commands:

:-$ sudo systemctl stop gpd   --> Unfortunately, it does not do anything, but....

:-$ sudo systemctl disable gpd

 

Now there will be two PIDs, one (2953 as an example) belongs to the PanGPA and the second (2571 as an example) belongs to the /lib/systemd/systemd --user that you also have to kill otherwise the system will relaunch PanGPA.
:-$ ps -ef | grep global 

root 2953 2571 0 15:19 ? 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPA start

 

kill both:

:-$ sudo kill -9 $(ps -ef | grep -v grep | grep global | awk '{ print $2 " "$3}')   --> Or kill them separately with kill -9 2953 and kill -9 2571 (or the PID that the output shows).

 

 

Unfortunately, now you are forced to initiate a X-Window session in the computer (it does not work remotely through SSH) and then you have to run in a terminal window:

 

:-$ sudo dpkg-reconfigure globalprotect

 

Magia! now you are able to run globalprotect  (as a normal user) without the annoying message.

 

(eventually, the system can show you a message suggesting to run systemctl --user daemon-reload, you can run it as well.

Then you can run globalprotect connect --portal  host.supersecure.org

 

Note: All those commands where using the GlobalProtect_deb-5.2.6.0-18.deb version (not the UI version, since it does not integrate at all in Ubuntu, the GlobalProtect GUI Window is being showed at login, but if you click anywhere else, the window disappear and you cannot find it anymore 😉

 

  • 2837 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!