Global protect Notification

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
MickBall
L7 Applicator

@dmifsud Do you know what version of PAN gives this message out?

 

@Joshan_Lakhani What version of PAN OS are you currently running.

 

I often see "switched to SSL" in user logs but still no popup for them.

 

 

Joshan_Lakhani
L4 Transporter

@MickBall 

 

As i troubleshoot further i found that all the user are connect via ssl VPN but we have configure the IPSEC vpn.

 

Global protect Version is 5.2.5

 

(P4912-T7656)Debug( 166): 02/21/21 13:54:12:406 Trying to do ipsec connection to 178.153.34.106[4501]
(P4912-T7656)Debug( 487): 02/21/21 13:54:12:406 socket send buffer old size is 65536
(P4912-T7656)Debug( 511): 02/21/21 13:54:12:406 socket send buffer new size is 3145728
(P4912-T7656)Debug( 563): 02/21/21 13:54:12:413 Network is reachable
(P4912-T7656)Info ( 178): 02/21/21 13:54:12:414 Connected to: 178.153.34.106[4501], Sending keep alive to ipsec socket...
(P4912-T7656)Info ( 221): 02/21/21 13:54:18:427 failed to receive keep alive
(P4912-T7656)Debug( 229): 02/21/21 13:54:18:427 IPSec anti-replay statistics: outside window count 0, replay count 0
(P4912-T7656)Debug( 231): 02/21/21 13:54:18:427 Disconnect udp socket
(P4912-T7656)Info ( 364): 02/21/21 13:54:18:427 Connecting to 178.153.34.106 failed
(P4912-T7656)Info ( 276): 02/21/21 13:54:18:427 Start vpn do_connect() failed
(P4912-T7656)Debug( 336): 02/21/21 13:54:18:427 tunnel statistics: send bytes(0) packets(0) errors(0) drops(0) queue-size(0), recv bytes(0) packets(0) errors(0) drops(0) queue-size(0)
(P4912-T7656)Debug( 338): 02/21/21 13:54:18:427 do_disconnect is called in VPN stop
(P4912-T7656)Debug( 709): 02/21/21 13:54:18:427 ipsec failed to start
(P4912-T7656)Info ( 102): 02/21/21 13:54:18:427 VPN is deleted
(P4912-T7656)Debug( 766): 02/21/21 13:54:18:427 IPSec fallback reason is IPSec connection failed
(P4912-T7656)Debug( 161): 02/21/21 13:54:18:427 disconnect-on-idle timeout is 10800
(P4912-T7656)Debug( 171): 02/21/21 13:54:18:427 VPN idle timeout is 10800; config timeout is 10800
(P4912-T7656)Debug( 219): 02/21/21 13:54:18:427 EnforceDns is enabled, set 2 GP pushed DNS servers
(P4912-T7656)Debug( 65): 02/21/21 13:54:18:427 Trying to do SSL connection to 178.153.34.106(443)
(P4912-T7656)Debug( 788): 02/21/21 13:54:18:427 SSL connecting to 178.153.34.106
(P4912-T7656)Debug( 487): 02/21/21 13:54:18:427 socket send buffer old size is 65536
(P4912-T7656)Debug( 511): 02/21/21 13:54:18:427 socket send buffer new size is 3145728
(P4912-T7656)Debug( 563): 02/21/21 13:54:18:435 Network is reachable
(P4912-T7656)Debug(1274): 02/21/21 13:54:18:471 Failed to X509_LOOKUP_load_file
(P4912-T7656)Debug( 374): 02/21/21 13:54:18:471 Open_SSL_connection: subject '/CN=deltacrp.dyndns.org'
(P4912-T7656)Debug( 378): 02/21/21 13:54:18:471 Open_SSL_connection: issuer '/CN=deltacrp.dyndns.org'
(P4912-T7656)Info ( 113): 02/21/21 13:54:18:479 Connected ssl tunnel to 178.153.34.106(443)
(P4912-T7656)Info ( 374): 02/21/21 13:54:18:479 tunnel to 178.153.34.106 connected
(P4912-T7656)Debug( 394): 02/21/21 13:54:18:666 PsvRegister done
(P4912-T7656)Debug( 25): 02/21/21 13:54:18:666 create thread 0xb70 with thread ID 14232
(P4912-T14232)Debug( 443): 02/21/21 13:54:18:667 VpnProcMonitor thread starts
(P4912-T14232)Debug( 507): 02/21/21 13:54:18:667 New ProcMon thread priority 2
(P4912-T7656)Debug(3027): 02/21/21 13:54:18:667 Gateway: deltacrp.dyndns.org, client IP: 172.22.18.32
(P4912-T7656)Debug( 115): 02/21/21 13:54:18:667 SPInit
MickBall
L7 Applicator

yes but IPSec is failing at some point..  this is what @dmifsud was telling you.

GlobalProtect will revert to SSL if IPSec fails.

 

(P4912-T7656)Info ( 221): 02/21/21 13:54:18:427 failed to receive keep alive

 

 

@Joshan_Lakhani could you confirm software version running on firewall.

 

Joshan_Lakhani
L4 Transporter

@MickBall 

 

Global protect version is 5.2.5 version

MickBall
L7 Applicator

could you tell me the software version of the firewall]

MickBall_0-1614591063544.jpeg

 

dmifsud
L2 Linker

@MickBall Based on past experience this is an "issue" in GP 5.2.5 (Which Joshan is using). I believe it is related to the improved error messages, so a lot of people are suddenly getting this warning thinking it's a new issue, but IPSec never likely worked in the first place.

 

Features Introduced in GlobalProtect App 5.2 (paloaltonetworks.com)

 

Improved Connectivity Error Messages for the GlobalProtect App
(GlobalProtect app 5.2.5 and later releases) To enable a better user experience, the GlobalProtect app is now updated to display improved connectivity error messages. With this change, the GlobalProtect app can now provide friendly, informative connectivity error messages to help end users resolve issues on their endpoint themselves to reduce support calls to their Help Desk professional.

 

- DM

MickBall
L7 Applicator

OK thanks for the information.  i was not aware as just below that version..

 

i like the suggestion..   " to reduce support calls to their Help Desk professional".

 

this new popup will send our helpdesk phones into meltdown....   nice one Palo.

Joshan_Lakhani
L4 Transporter

@MickBall 

 

Paloalto Version is 9.0.9h1

@dmifsud 

 

I have check the security policy and it's created any any. 

Moreover i take the pacp but not packet is hit on 4501 port. Can you please advise

MickBall
L7 Applicator

Do you have "Enable IPSec" selected as below.

MickBall_0-1614603959231.jpeg

 

if yes then your connection will first try IPSec on udp 4501. if at any time this fails then it will revert to SSL (443) and thats probably when you are getting the popup.

 

try pcap from the start of the connection,

 

 

dmifsud
L2 Linker

@Joshan_Lakhani if it's now showing on the pcap that suggests it's failing before the firewall.

 

Check the local machine's firewall/other security software, and any other devices in between which could be preventing connectivity.

 

Also as a sanity check, have a look at the gateway settings and ensure IPSec mode is enabled.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!