Global Protect 4.0.2 -19 cannot connect to Portal

Reply
Highlighted
L2 Linker

Global Protect 4.0.2 -19 cannot connect to Portal

Hello everybody,

 

we are facing a big problem regarding the GlobalProtect Client.

Problem is that some Users can connect via GlobalProtect but some can not.

Setting up a new User Profile fixes the Problem but that is not a solution.

We are struggeling to find the cause inside the User Profiles which causes this behavior. 

If any of you have a suggestion on how to fix this we are thankfull to hear it.

 

This is the GlobalProtect Log from one of the Users who cannot connect:

 

ion event.
(T5180) 11/10/17 08:14:50:314 Debug( 538):  WscCallback
(T5180) 11/10/17 08:14:50:314 Debug( 540): SetWscEvent
(T2232) 11/10/17 08:14:53:330 Debug( 416): before check wsc
(T2232) 11/10/17 08:14:53:330 Info (6779): Portal config does not exist
(T2232) 11/10/17 08:14:53:330 Debug(6786): Failed to get wsc-autodetect from config, try local
(T2232) 11/10/17 08:14:53:330 Debug( 370): wsc-autodetect is disabled
(T2232) 11/10/17 08:14:53:330 Debug( 405): before WaitForMultipleObjects
(T3892) 11/10/17 08:17:03:152 Info ( 431): msgtype = user_credential
(T3892) 11/10/17 08:17:03:152 Debug(2178): ServerThread: ProcessServerUserCredential. Redirect to processServerPortal.
(T3892) 11/10/17 08:17:03:152 Debug(1428): ServerThread: ProcessServerPortal
(T3892) 11/10/17 08:17:03:152 Debug(1430): Reset portal user auth cookie.
(T3892) 11/10/17 08:17:03:152 Debug(1437): user-profile-type tag exists with value 0
(T3892) 11/10/17 08:17:03:152 Debug(1493): checkupdate tag exists with value no
(T3892) 11/10/17 08:17:03:152 Debug(1497): bCheckUpdate is false.
)(T3892) 11/10/17 08:17:03:152 Debug(1508): portal-certificate-verification tag exists with value yes
(T3892) 11/10/17 08:17:03:152 Debug(1517): m_bVerifyPortalCertificate and m_bAdditionalCheck are true.
)(T3892) 11/10/17 08:17:03:152 Debug(1527): allow-cached-portal tag exists with value no
(T3892) 11/10/17 08:17:03:152 Debug(1531): bAllowCachedPortal is false.
)(T3892) 11/10/17 08:17:03:152 Debug(1537): Reset network discover ready event.
(T3892) 11/10/17 08:17:03:152 Debug(1557): This portal message is not from prelogon thread
(T3892) 11/10/17 08:17:03:152 Debug(1560): Clear lastErrStr
(T3892) 11/10/17 08:17:03:152 Debug(1562): m_szNewWinUser is ZZZ, m_szWinUser is 
(T3892) 11/10/17 08:17:03:152 Debug(1563): m_bPreviousSwitchOffMsg is 0
(T3892) 11/10/17 08:17:03:152 Debug(4479): StartThreads():
(T3892) 11/10/17 08:17:03:152 Debug(8939): CPanMSServiceWin::UpdateDisableGPSetting() - bDisabled=0.
(T3892) 11/10/17 08:17:03:152 Debug(1618): No user home path in portal message.
(T3892) 11/10/17 08:17:03:152 Debug(1628): No domain in portal or user credential message.
(T3892) 11/10/17 08:17:03:152 Debug( 217): pid of PanGPA is 8184, m_dwPanGpAgentPid is 8184
(T3892) 11/10/17 08:17:03:152 Debug(1644): gets user name ZZZ.
(T3892) 11/10/17 08:17:03:152 Debug(1683): gets saved-user name .
(T3892) 11/10/17 08:17:03:152 Debug(7238): Saved password is empty.
(T3892) 11/10/17 08:17:03:152 Debug(1827): Pre-logon-then-on-demand value is no
(T3892) 11/10/17 08:17:03:152 Debug(1408): SSO starts.
(T3892) 11/10/17 08:17:03:152 Debug(  73): CTranslate: dwSidLen is 24
(T3892) 11/10/17 08:17:03:152 Debug(1429): (T3892) 11/10/17 08:17:03:152 Debug(1912): empty domain name.
(T3892) 11/10/17 08:17:03:152 Debug(1937): bCheckCachedPortalForPrelogon 0, m_nPrelogonTunnelRenameTimeout -1, GetPrelogonStatus() 2, m_userName ZZZ, m_preUsername pre-logon
(T3892) 11/10/17 08:17:03:152 Debug(1940): bPrelogonNeedTimeout is 0, m_nPrelogonTunnelRenameTimeout is -1, IsUserJustLoginInPrelogon() is 1, GetPrelogonStatus() is 2, m_userName is ZZZ, m_preUsername is pre-logon
(T3892) 11/10/17 08:17:03:152 Debug(4629): Set state to Retrieving configuration...
(T3892) 11/10/17 08:17:03:152 Debug(1549): unknown network type.
(T3892) 11/10/17 08:17:03:152 Debug(5033): ServerThread: ProcessServerPortal -- GetConfigFromPortal
(T3892) 11/10/17 08:17:03:152 Debug(3149): Machine's device id is 033c195e-4fb2-45cc-81e4-6de44eea985f
(T3892) 11/10/17 08:17:03:152 Debug(5495): entering.
(T3892) 11/10/17 08:17:03:152 Debug(9487): Portal's ipv4 address ZZZ.ZZZ.ZZZ.ZZZ
(T3892) 11/10/17 08:17:03:152 Debug(5534): SSO enable status is 0, user name is ZZZ, domain name is .
(T3892) 11/10/17 08:17:03:152 Debug(5537): reset user authentication status to true.
(T3892) 11/10/17 08:17:03:152 Debug(1990): open http session. 
(T3892) 11/10/17 08:17:03:152 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T3892) 11/10/17 08:17:03:152 Debug(1470): Auto detect proxy for host vpn.ZZZ.de
(T3892) 11/10/17 08:17:03:152 Debug(1487): CPanMSServiceWin::SetProxyForHost: fAutoDetect: 0 url: proxy: bypass:
url:https://vpn.ZZZ.de/ returned proxystr:
(T3892) 11/10/17 08:17:03:152 Debug(1512): m_proxyInfo.dwAccessType is 0, m_proxyInfo.lpszProxy is (null)
(T3892) 11/10/17 08:17:03:152 Debug(8448): Scep clean
(T3892) 11/10/17 08:17:03:152 Debug(8450): Clean m_pScepCert
(T3892) 11/10/17 08:17:03:152 Debug(3392): Clean m_szScepCertPanName
(T3892) 11/10/17 08:17:03:152 Debug(3284): TriggerCaptivePortalDetection()  end 
(T5556) 11/10/17 08:17:03:152 Debug(3381): CaptivePortalDetectionThread: delay 2 seconds before captive portal detection. m_bIsDetectingCaptivePortal=1, m_bPreLoginIsDone = 0
(T5556) 11/10/17 08:17:03:152 Debug(3359): CaptivePortalDetectionThread: wait (2000 ms) for captive portal detection event.
(T3892) 11/10/17 08:17:03:152 Debug( 408): Found ipv4 default route
(T3892) 11/10/17 08:17:03:152 Debug(4689): Pre-login...,verifyportalcert=yes
(T3892) 11/10/17 08:17:03:152 Debug(  78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T3892) 11/10/17 08:17:03:168 Debug(1339): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer exists. File is tca.cer
(T3892) 11/10/17 08:17:03:168 Debug( 915): set trusted root ca file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T3892) 11/10/17 08:17:03:168 Debug( 408): Found ipv4 default route
(T3892) 11/10/17 08:17:03:168 Debug(  48): WSAGetLastError() returns 10035
(T3892) 11/10/17 08:17:03:230 Debug(1165): X509_verify_cert result is 1
(T3892) 11/10/17 08:17:03:230 Debug(7611): CheckServerCert(): Sever certificate has been verified with trusted root ca.
(T3892) 11/10/17 08:17:03:230 Debug( 731): StandardizeIpv6Format host=vpn.ZZZ.de
(T3892) 11/10/17 08:17:03:230 Debug( 793): standardized name is vpn.ZZZ.de
(T3892) 11/10/17 08:17:03:230 Debug( 731): StandardizeIpv6Format host=vpn.ZZZ.de
(T3892) 11/10/17 08:17:03:230 Debug( 821): standardized common name is vpn.ZZZ.de
(T3892) 11/10/17 08:17:03:230 Debug( 942): Check domain name vpn.ZZZ.de versus CN anme vpn.ZZZ.de
(T3892) 11/10/17 08:17:03:230 Debug( 905): Cert vpn.ZZZ.de name check succeeded
(T3892) 11/10/17 08:17:03:230 Debug(1197): SSL3 alert write:warning:close notify
(T3892) 11/10/17 08:17:03:230 Debug(7631): CheckServerCert() returns 4099
(T3892) 11/10/17 08:17:03:230 Debug(2512): portal proxyparam is empty
(T3892) 11/10/17 08:17:03:230 Debug(2534): OID, oid=
(T3892) 11/10/17 08:17:03:230 Debug(2578): IPADDR=vpn.ZZZ.de,PORT=443,URL=/global-protect/prelogin.esp,POST=1,PROXY_AUTO=0,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=0,ADDITIONAL_CHECK=1,SCEP_CERT=,oid=
(T3892) 11/10/17 08:17:03:230 Debug(1024): Send response to client for request https_request
(T3892) 11/10/17 08:17:03:230 Debug(2608): gpapintimeout not set, set it to 600 seconds
(T3892) 11/10/17 08:17:03:339 Debug(2678): receive pan_msg_ping, 3
(T3892) 11/10/17 08:17:03:441 Debug(2678): receive pan_msg_ping, 3
(T3892) 11/10/17 08:17:03:553 Debug(2857): HTTP_RPC, len=0, result is 
(NULL)...
(T3892) 11/10/17 08:17:03:553 Debug(4776): prelogin to portal result is 
(null)
(T3892) 11/10/17 08:17:03:553 Debug(4986): Failed to pre-login to the portal vpn.ZZZ.de. Error 0
(T3892) 11/10/17 08:17:03:553 Debug(2015): close WinHttp close handle.
(T3892) 11/10/17 08:17:03:553 Info (6732): Portal config does not exist, try registry/plist
(T3892) 11/10/17 08:17:03:553 Debug(6742): Failed to get version from config, try local
(T3892) 11/10/17 08:17:03:553 Info (5675): failed to retrieve value of the tag version.
(T3892) 11/10/17 08:17:03:553 Info (5689): Skip reading cached portal config.
(T3892) 11/10/17 08:17:03:553 Debug(8102): No scep profile
(T3892) 11/10/17 08:17:03:553 Debug(5702): portal status is Invalid portal.
(T3892) 11/10/17 08:17:03:553 Debug(5703): returns 0.
(T3892) 11/10/17 08:17:03:553 Info (5065): GetConfigFromPortal failed, restore previous prelogon username
(T3892) 11/10/17 08:17:03:553 Debug(4629): Set state to Disconnected
(T3892) 11/10/17 08:17:03:553 Debug(1549): unknown network type.
(T3892) 11/10/17 08:17:03:554 Debug(1024): Send response to client for request portal
(T3892) 11/10/17 08:17:03:554 Debug(7863): Set m_bPreviousSwitchOffMsg to 0
(T5556) 11/10/17 08:17:05:184 Debug( 408): Found ipv4 default route
(T5556) 11/10/17 08:17:05:184 Debug(  48): WSAGetLastError() returns 10035
(T5556) 11/10/17 08:17:05:233 Debug(  94): pan_http_captive_portal_detection: status is 204
(T5556) 11/10/17 08:17:05:233 Debug(3301): DetectCaptivePortal: captive portal is not detected for CP server index = 0. iStatus = 204
(T5556) 11/10/17 08:17:05:294 Debug( 408): Found ipv4 default route
(T5556) 11/10/17 08:17:05:295 Debug(  48): WSAGetLastError() returns 10035
(T5556) 11/10/17 08:17:05:345 Debug(  94): pan_http_captive_portal_detection: status is 200
(T5556) 11/10/17 08:17:05:345 Debug( 127): pan_http_captive_portal_detection(): head start=659, end=687.
(T5556) 11/10/17 08:17:05:345 Debug( 139): pan_http_captive_portal_detection() - captive portal isn't detected against server.
(T5556) 11/10/17 08:17:05:345 Debug(3301): DetectCaptivePortal: captive portal is not detected for CP server index = 1. iStatus = 200
(T5556) 11/10/17 08:17:05:345 Debug(3452): CaptivePortalDetectionThread: Didn't detect captive portal currently, and bCaptivePortalDetectedOnce=(0).
(T5556) 11/10/17 08:17:05:345 Debug(3359): CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.

 

Highlighted
L7 Applicator

cant offer much help on this but have tagged for updates.

 

we do have this issue now and again but with over 4k of GP devices we only get 1, maybe 2 a year.

we just replace the imaged laptop with one from stock and re image.

 

our AD policies are very strict and perhaps this doesn't help.

 

i did try a few basic tests, can you reach the portal address via IE to prove this is not a winhttp issue. also you may want to just check to see if wireshark picks up any attempt whatsoever to contact the portal.

 

also... do you have any proxy settings that might prevent the connection.

 

 

Highlighted
L7 Applicator

cancel the proxy option,,, just seen it in logs.

Highlighted
L2 Linker

What do you mean by "cancel the proxy option" ?

Our Proxy has an exception to let connections to our VPN through.

Even if we remove the proxy it still won't connect.

 

The weird thing is that if we setup a new User Profile (and delete the saved local Profile on that Notebook) it works. So I guess it must be the Profile.

And no, I cannot access our HTTPS Website of GlobalProtect. When I try to access it I have to confirm our Certificate and after that I get:

"This Website can't be displayed."

 

Highlighted
L7 Applicator

i meant cancel my comment regarding proxy.

 

have you tried to wireshark the connection, i would set capture option to  "port 53 or port 443 or (whatever your proxy port is)"

just to cut out the chaff.

 

 

 

I don't think this will help with the profile issue but will show exactly what is going on at connection attempt.

Highlighted
L2 Linker

 

According to Wireshark:

 

- Resolves the DNS Name of the GP Server correctly

- Does the handshake successfully

- Gets the Certificate from the GP Server

 

But then it just stops...

it was a total of 8-10 packets, so not much at all.

 

I realized that with a working Profile I get a Certificate Warning (which I can confirm) that it wasn't signed by a public authority and may be not trustworthy. With the broken Profile I don't get such warning.

Highlighted
L7 Applicator

@husetech. Hi.

 

thanks for the update, I honestly cannot offer any more advice and pretty much done the same tests as you.

 

if you have time... could you confirm the following. just for future reference.

 

when the profile is broken, are you able to remove proxy settings and connect to another site via https or is it just your GP portal.

 

Mick.

 

Highlighted
L2 Linker

Hey,

 

it is just the GP Portal indeed. At the moment you try to access it, Internet Explorer gives you Windows-Security Message.

In this message you have to confirm the Certificate (looks similar to the message you get when u connect vie GP with a working Profile). Once you press "OK", the message disappears followed by a "Can't reach Website" Window.

 

Thanks for the support so far. If anyone else has come accross this issue and knows a solution feel free to let me know.

Highlighted
L2 Linker

Just trying to bumb the Thread to see if anyone came accross the same problem.

Highlighted
L0 Member

Pls try the below steps may this will resolve the issue 

 

1. Launch an elevated (admin) powershell window.

2. Enter the following command.

Stop-Service winmgmt -Force; winmgmt /resetrepository

3. Restart the computer you just reset the WMI repository on.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!