This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global protect client stuck on connecting

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global protect client stuck on connecting

Nisha_Bharadia
L1 Bithead

‎03-05-2021 08:18 AM

Hi All - Global protect client for a few users is stuck on connecting state, is anyone able to help me look into

 


P 865-T24627 Mar 05 07:15:48:180208 Info ( 495): Server is trusted ***.gpcloudservice.com(0.0.0.0)
P 865-T19203 Mar 05 07:15:48:445236 Info ( 389): Finished with ****.gpcloudservice.com:443
P 865-T19203 Mar 05 07:15:48:445253 Debug( 309): Received data with length 585
P 865-T19203 Mar 05 07:15:48:445262 Debug(8603): Portal config digest matched
P 865-T19203 Mar 05 07:15:48:445316 Debug( 567): pan_read_text_from_file(): File does not exist. File: /Users/test.test@joebloggs.com/Library/Application Support/PaloAltoNetworks/GlobalProtect/PanPortalCfg_179d8e2a036712f435542e261be3b2.dat
P 865-T19203 Mar 05 07:15:48:445320 Error(8617): Failed to load cached portal config
P 865-T19203 Mar 05 07:15:48:445323 Debug(8619): Delete portal config digest file /Users/test.test@joebloggs.com/Library/Application Support/PaloAltoNetworks/GlobalProtect/PanPCD_179d8e2a036712f435542e261be3b2.dat
P 865-T19203 Mar 05 07:15:48:446736 Error( 252): Failed to get agent-config from portal configuration.
P 865-T19203 Mar 05 07:15:48:446745 Debug( 620): No hip collection defined
P 865-T19203 Mar 05 07:15:48:446750 Debug( 672): No agent-config defined
P 865-T19203 Mar 05 07:15:48:446789 Error( 686): No agent-ui defined
P 865-T19203 Mar 05 07:15:48:446806 Error(9099): Failed to parse portal config: <?xml version="1.0" encoding="UTF-8" ?>
<policy>
<config-digest-matched/>
<portal-userauthcookie>pej4Zer5CTexiOFQI4KA+INNA7K5NgrXHutRVE/1jgyc4Rr+LFUJQCUDof8pTHuHhDkW1gcKcGoTKSE0H9BbdTrkeIYzxM9qZhcfIP8mGiBECd15xCRSfcsfcWeHikxyxY6+OlBa1oGx6zvmZErXYjB7GURMxPhbB0K//EcJ6u6mdeSNo7JlcoouhQwCSUKJpmvgap0KRw6pgHWqB3nuUhbseMMKf+nizTnMK/N+Lvh0u4Omt1vSPvd0eblAA0roRd/k+ymhmaleR6rBAtyiW06P1irUAII4E982KMv4Cu9MPLbHiFvM/RyDDT8ndD4/GFCEHowIV5J5hCzecOQYjA==</portal-userauthcookie>
<portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie>
<password-exp-days>0</password-exp-days></policy>

P 865-T19203 Mar 05 07:15:48:446809 Debug(8657): No scep profile
P 865-T19203 Mar 05 07:15:48:446813 Debug(7625): Return false for saml auth
P 865-T19203 Mar 05 07:15:48:446815 Debug(7626): m_preUsername ___empty_username___, IsInPrelogon() 0
P 865-T19203 Mar 05 07:15:48:447304 Debug(1506): Send response to client for request saml-pre-login
P 865-T18203 Mar 05 07:16:17:950308 Debug( 210): WAIT_TIMEOUT

 

 


P 865-T18203 Mar 05 07:16:17:950324 Debug( 763): HipMonitorThread quits

0 Likes Likes
4 REPLIES 4

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎03-08-2021 05:49 AM

Hi @Nisha_Bharadia,

 

What GP version are you using?

What OS are using the problematic users?

 

Looking at your logs I assume you have different GP config per user-group. And the problematic users are not matching any of the define gp portal -> agent ->  config

 

P 865-T19203 Mar 05 07:15:48:446736 Error( 252): Failed to get agent-config from portal configuration.
P 865-T19203 Mar 05 07:15:48:446745 Debug( 620): No hip collection defined
P 865-T19203 Mar 05 07:15:48:446750 Debug( 672): No agent-config defined

 

- Check If problematic users are part of the defined user groups

- Check if the users are using same OS platform defined the agent config (win, mac, linux)

- If the users were recently added to coresponding user group, wait for the group-mapping to refresh the information. Check you group-mapping config at what interval the fw is updating the data.

 

Nisha_Bharadia
L1 Bithead
In response to aleksandar.astardzhiev

‎03-08-2021 06:42 AM - edited ‎03-08-2021 06:45 AM

Thank you Alexander.

 

The OS is set to "any" and the group mapping is set to default 1hour however no value has been entered, it just says "default"..

 

The users are all on Big Sur mac osx and maybe 1 -2 windows users all based in the USA.. no one in the UK is affected..

 

We were using 5.1.5 Global Protect version however today have updated to 5.2.5..

 

 

(T10900)Debug(8339): 03/04/21 08:18:25:129 ----Portal Login starts----
(T10900)Debug( 41): 03/04/21 08:18:25:130 Roaming profile is false
(T10900)Debug( 167): 03/04/21 08:18:25:137 profileInfo username testtest, profile path (null), server (null)
(T10900)Debug(1912): 03/04/21 08:18:25:141 Unserialized non-empty cookie for portal test.gpcloudservice.com and user test.test@com
(T10900)Debug(8353): 03/04/21 08:18:25:141 Cookie exists for saved user testtest@test.com. Update saved user to user. Continue for saml
(T10900)Error(8300): 03/04/21 08:18:25:141 GetPassword(): invalid parameter.
(T10900)Debug(13270): 03/04/21 08:18:25:141 Failed to get portal saved password.
(T10900)Debug(10052): 03/04/21 08:18:25:141 Password is empty.
(T10900)Debug( 312): 03/04/21 08:18:25:141 No need to decrypt data with length 0
(T10900)Debug(2046): 03/04/21 08:18:25:142 Portal config digest is retrieved from file C:\Users\testest\AppData\Local\Palo Alto Networks\GlobalProtect\PanPCD_7d7f51be3ae9afe540bbb98a9315ca82.dat.
(T10900)Debug(2047): 03/04/21 08:18:25:142 Portal config digest is b76de6f7e7dfac82c2bd01d28dbd9017
(T10900)Debug( 41): 03/04/21 08:18:25:143 Roaming profile is false
(T10900)Debug( 167): 03/04/21 08:18:25:150 profileInfo username test.test, profile path (null), server (null)
(T10900)Debug(1912): 03/04/21 08:18:25:154 Unserialized non-empty cookie for portal test.gpcloudservice.com and user test.test@test.com
(T10900)Debug(1841): 03/04/21 08:18:25:154 Unserialized non-empty cookie for portal test.gpcloudservice.com and pre-logon user.
(T10900)Debug(8398): 03/04/21 08:18:25:154 IsInPrelogon() 0, GetPrelogonStatus() 0
(T10900)Debug( 312): 03/04/21 08:18:25:154 No need to decrypt data with length 0
(T10900)Debug(6994): 03/04/21 08:18:25:154 use cached deviceSN
(T10900)Debug(6994): 03/04/21 08:18:25:154 use cached deviceSN
(T10900)Debug( 323): 03/04/21 08:18:25:154 ClearHipCustomCheckInfo(): pHipCustomCheckInfo is NULL.
(T10900)Debug( 85): 03/04/21 08:18:25:154 ClearHipCustomCheckRegKeyInfo(): pHipCustomCheckRegKeyInfo is NULL.
(T10900)Debug( 567): 03/04/21 08:18:25:154 pan_read_text_from_file(): File does not exist. File: C:\Program Files\Palo Alto Networks\GlobalProtect\PanPortalCfgCriteria_7d7f51be3ae9afe540bbb98a9315ca82.dat
(T10900)Debug( 77): 03/04/21 08:18:25:154 Portal config criteria is restored.
(T10900)Debug( 567): 03/04/21 08:18:25:154 pan_read_text_from_file(): File does not exist. File: C:\Program Files\Palo Alto Networks\GlobalProtect\PanPortalCfgCriteria_7d7f51be3ae9afe540bbb98a9315ca82.dat
(T10900)Debug(8475): 03/04/21 08:18:25:154 m_szDomainAndUsername is test.test@test.com
(T10900)Debug(2587): 03/04/21 08:18:25:154 encpostdata, encpostdata=0000020E07B14880, encpostdatalen=1232
(T10900)Debug(2757): 03/04/21 08:18:25:154 REQID=3,IPADDR=165.1.203.228,PORT=443,URL=/global-protect/getconfig.esp,POST=1,PROXY_AUTO=0,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=0,ADDITIONAL_CHECK=1,SCEP_CERT=,oid=
(T10900)Debug(1506): 03/04/21 08:18:25:155 Send response to client for request https_request
(T10900)Debug(2867): 03/04/21 08:18:25:264 receive pan_msg_ping, 3
(T10900)Debug( 226): 03/04/21 08:18:25:311 has-config is no and user-group-loaded is yes
(T10900)Debug(9112): 03/04/21 08:18:25:311 Use proxy is true
(T10900)Debug(9176): 03/04/21 08:18:25:311 No portal configuration. User group is loaded.
(T10900)Debug(8868): 03/04/21 08:18:25:311 Clear portal user auth cookie for portal test.gpcloudservice.com and user test.test@test.com.
(T10900)Debug(8892): 03/04/21 08:18:25:311 File C:\Users\testtestl\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_7d7f51be3ae9afe540bbb98a9315ca82.dat is deleted
(T10900)Debug(8911): 03/04/21 08:18:25:321 File C:\Users\test.test\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg_7d7f51be3ae9afe540bbb98a9315ca82.dat is deleted
(T10900)Debug(8931): 03/04/21 08:18:25:321 File C:\Users\testestl\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg.dat does not exist
(T10900)Debug(8657): 03/04/21 08:18:25:321 No scep profile
(T10900)Debug(7625): 03/04/21 08:18:25:321 Return false for saml auth
(T10900)Debug(7626): 03/04/21 08:18:25:322 m_preUsername test.test@test.com, IsInPrelogon() 0
(T10900)Debug(1506): 03/04/21 08:18:25:322 Send response to client for request saml-pre-login
(T15264)Debug(6028): 03/04/21 08:18:52:245 NetworkConnectionMonitorThread: route change detected. Wait for 3 seconds.
(T15264)Debug(4700): 03/04/21 08:18:52:245 No need to check gateway route since no tunnel.

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to Nisha_Bharadia

‎03-08-2021 11:58 PM

Hi @Nisha_Bharadia ,

- Good think that you have upgraded as Big Sur had issues with older versions. 5.1.7 is the lowest that is working normaly (if I recall correctly). But if you are running latest on 5.2 you should be fine.

- I still see "(T10900)Debug(9176): 03/04/21 08:18:25:311 No portal configuration. User group is loaded." and I still believe users are failing to match the criteria defined fo the portal agent config.

 

Can you try to create test portal and gateway agent config at the bottom of your config, on the "Config Selection Criteria" tab leave it as default with any OS and any user group. If the test user manage to connect with this configuration the problem is definately with missing group membership.

 

By the way have you checked the logs on the firewall? Looking your logs you probably using Prisma Access, right? I guess you are managing the settings via Panorama, I assume you should still have similar GP related logs. For the working users you should see log saying which portal config this user has matched and same for the gateway. Do you see similar logs for the non-working users?

0 Likes Likes

Nisha_Bharadia
L1 Bithead
In response to aleksandar.astardzhiev

‎03-09-2021 12:25 AM

Thank you!

The strange thing is UK users who are apart of the same okta group were logged in fine, i tried signing out and back in and worked like a charm however for USA users connecting to prisma US West node it was failing and the only common thing between them really was few of them had comcast ISP and 2 had ISP Charter /Xfinity however mostly mac big sur users and two windows. They were part of the group mapping i checked via CLI, but what i cannot understand is how UK user apart of the same group worked and USA didnt.. do you notice any SAML errors or is it purley they were failing to match the okta group? 

thanks

0 Likes Likes
  • 5226 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks