Difficulties creating a secondary VPN tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Difficulties creating a secondary VPN tunnel

L2 Linker

I'm having trouble authenticating with a second VPN tunnel that I've created.

I've created a new Portal and Gateway, almost identical to the previous ones. Obviously with it's own external IP, certificate that fits the given domain.
Created a new Zone with a tunnel interface associated with it, which is also connected to a static route with the new GP IP range.

From GlobalProtect, I'm getting the following when I start logging:

GetHttpResponse()...

(T1192) 08/14/14 10:39:46:593 Debug(1787): portal proxyparam is empty

(T1192) 08/14/14 10:39:46:593 Debug(1838): IPADDR=vpn._______.com,PORT=443,URL=/global-protect/getconfig.esp,POST=1,PROXY_AUTO=0,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=0,ADDITIONAL_CHECK=1

(T1192) 08/14/14 10:39:46:593 Debug( 734): Send response to client for request https_request

(T1192) 08/14/14 10:39:46:794 Debug(1886): receive pan_msg_ping, 3

(T1192) 08/14/14 10:39:56:673 Debug(1886): receive pan_msg_ping, 3

(T4196) 08/14/14 10:40:03:330 Debug( 407): HipMissingPatchThread: now is 1408005603, last hip check is 1408001201, hip check interval is 3600000

(T4196) 08/14/14 10:40:03:330 Debug( 412): HipMissingPatchThread: wait -820000 ms

(T4196) 08/14/14 10:40:03:330 Debug( 434): nSleep <= 0. m_tLastHipCheckEventWakeup is 1408001201, m_dwHipCheckInterval is 3600000, Now is 1408005603.

(T4196) 08/14/14 10:40:03:330 Debug( 358): CheckHipMissingPatchInOtherProcess()

(T4196) 08/14/14 10:40:03:330 Debug(  63): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe

(T4196) 08/14/14 10:40:03:330 Debug( 324): CheckHipMissingPatchInOtherProcess(): Starting process PanGpHipMp.exe

(T1192) 08/14/14 10:40:06:705 Debug(1886): receive pan_msg_ping, 3

(T4196) 08/14/14 10:40:08:830 Error( 340): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe

(T1192) 08/14/14 10:40:16:768 Debug(1886): receive pan_msg_ping, 3

(T1192) 08/14/14 10:40:16:768 Debug(2034): HTTP_RPC, len=0, result is

(NULL)...

(T1192) 08/14/14 10:40:16:768 Error(4279): pszXmlConfig is NULL. 8614

(T1192) 08/14/14 10:40:16:768 Debug(1426): close WinHttp close handle.

(T1192) 08/14/14 10:40:16:768 Info (3746): Skip reading cached portal config.

(T1192) 08/14/14 10:40:16:768 Debug(3754): portal status is Invalid portal.

(T1192) 08/14/14 10:40:16:768 Debug(3755): returns 0.

(T1192) 08/14/14 10:40:16:768 Debug(3284): ServerThread: ProcessServerPortal -- return SendResponseToClient(socket, PAN_SERVER_PORTAL)

(T1192) 08/14/14 10:40:16:768 Debug(3070): Set state to Disconnected

(T1192) 08/14/14 10:40:16:768 Debug( 734): Send response to client for request portal

(T4196) 08/14/14 10:40:17:835 Debug( 364): PanGpHipMp.exe exit for checking misssing patches.

(T4196) 08/14/14 10:40:17:835 Debug( 362): CheckHipMissingPatchInOtherProcess(): exits.

(T4196) 08/14/14 10:40:17:835 Debug( 441): Hip missing patch checking duration is 14

(T4196) 08/14/14 10:40:39:845 Debug( 407): HipMissingPatchThread: now is 1408005639, last hip check is 1408001201, hip check interval is 3600000

(T4196) 08/14/14 10:40:39:845 Debug( 412): HipMissingPatchThread: wait -860000 ms

(T4196) 08/14/14 10:40:39:845 Debug( 434): nSleep <= 0. m_tLastHipCheckEventWakeup is 1408001201, m_dwHipCheckInterval is 3600000, Now is 1408005639.

(T4196) 08/14/14 10:40:39:845 Debug( 358): CheckHipMissingPatchInOtherProcess()

(T4196) 08/14/14 10:40:39:845 Debug(  63): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe

(T4196) 08/14/14 10:40:39:845 Debug( 324): CheckHipMissingPatchInOtherProcess(): Starting process PanGpHipMp.exe

(T4196) 08/14/14 10:40:45:353 Error( 340): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe

(T4196) 08/14/14 10:40:49:980 Debug( 364): PanGpHipMp.exe exit for checking misssing patches.

(T4196) 08/14/14 10:40:49:980 Debug( 362): CheckHipMissingPatchInOtherProcess(): exits.

(T4196) 08/14/14 10:40:49:980 Debug( 441): Hip missing patch checking duration is 10

(T4196) 08/14/14 10:41:09:993 Debug( 407): HipMissingPatchThread: now is 1408005669, last hip check is 1408001201, hip check interval is 3600000

(T4196) 08/14/14 10:41:09:993 Debug( 412): HipMissingPatchThread: wait -888000 ms

(T4196) 08/14/14 10:41:09:993 Debug( 434): nSleep <= 0. m_tLastHipCheckEventWakeup is 1408001201, m_dwHipCheckInterval is 3600000, Now is 1408005669.

(T4196) 08/14/14 10:41:09:993 Debug( 358): CheckHipMissingPatchInOtherProcess()

(T4196) 08/14/14 10:41:09:993 Debug(  63): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe

(T4196) 08/14/14 10:41:09:993 Debug( 324): CheckHipMissingPatchInOtherProcess(): Starting process PanGpHipMp.exe

(T4196) 08/14/14 10:41:15:500 Error( 340): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe

(T4196) 08/14/14 10:41:19:402 Debug( 364): PanGpHipMp.exe exit for checking misssing patches.

(T4196) 08/14/14 10:41:19:402 Debug( 362): CheckHipMissingPatchInOtherProcess(): exits.

(T4196) 08/14/14 10:41:19:402 Debug( 441): Hip missing patch checking duration is 10

(T4196) 08/14/14 10:41:39:415 Debug( 407): HipMissingPatchThread: now is 1408005699, last hip check is 1408001201, hip check interval is 3600000

(T4196) 08/14/14 10:41:39:415 Debug( 412): HipMissingPatchThread: wait -918000 ms

(T4196) 08/14/14 10:41:39:415 Debug( 434): nSleep <= 0. m_tLastHipCheckEventWakeup is 1408001201, m_dwHipCheckInterval is 3600000, Now is 1408005699.

(T4196) 08/14/14 10:41:39:415 Debug( 358): CheckHipMissingPatchInOtherProcess()

(T4196) 08/14/14 10:41:39:415 Debug(  63): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe

(T4196) 08/14/14 10:41:39:415 Debug( 324): CheckHipMissingPatchInOtherProcess(): Starting process PanGpHipMp.exe

From the system log in PAN I'm getting:

"GlobalProtect portal user authentication failed. Login from: 1.2.3.4, User name: user, Reason: Authentication failed: Invalid username or password , Auth type: profile"

Did also recieve one error: "User 'user'' failed authentication.  Reason: User is not in allowlist From: 1.2.3.4" Even though I've defined the user in both the client config for the Portal, including in the authentication profile that the portal is associated with.

Anyone have suggestions to what the cause might be?
Last time I set up the GP I was instructed, so there's a chance that I've missed a few details.

Feel free to ask for more information if needed.

Appreciate the help!

2 REPLIES 2

L7 Applicator

This is probably a problem with the LDAP authentication for the group or users assigned for the allow list.  Check out the troubleshooting process in this document to confirm the LDAP connection and naming conventions.

GlobalProtect Login Fails When Using a Group in the Allow List

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L4 Transporter

I have also seen the above authentication failure messages in case of ldap authentication due to mis-configuration. Most common one is that "sAMAccountName" attribute missing from the authentication profile. See below for details:

test.png

  • 2224 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!