Global protect Notification

MickBall · ‎03-01-2021

@dmifsud Do you know what version of PAN gives this message out?

@Joshan_Lakhani What version of PAN OS are you currently running.

I often see "switched to SSL" in user logs but still no popup for them.

Joshan_Lakhani · ‎03-01-2021

As i troubleshoot further i found that all the user are connect via ssl VPN but we have configure the IPSEC vpn.

Global protect Version is 5.2.5

(P4912-T7656)Debug( 166): 02/21/21 13:54:12:406 Trying to do ipsec connection to 178.153.34.106[4501]
(P4912-T7656)Debug( 487): 02/21/21 13:54:12:406 socket send buffer old size is 65536
(P4912-T7656)Debug( 511): 02/21/21 13:54:12:406 socket send buffer new size is 3145728
(P4912-T7656)Debug( 563): 02/21/21 13:54:12:413 Network is reachable
(P4912-T7656)Info ( 178): 02/21/21 13:54:12:414 Connected to: 178.153.34.106[4501], Sending keep alive to ipsec socket...
(P4912-T7656)Info ( 221): 02/21/21 13:54:18:427 failed to receive keep alive
(P4912-T7656)Debug( 229): 02/21/21 13:54:18:427 IPSec anti-replay statistics: outside window count 0, replay count 0
(P4912-T7656)Debug( 231): 02/21/21 13:54:18:427 Disconnect udp socket
(P4912-T7656)Info ( 364): 02/21/21 13:54:18:427 Connecting to 178.153.34.106 failed
(P4912-T7656)Info ( 276): 02/21/21 13:54:18:427 Start vpn do_connect() failed
(P4912-T7656)Debug( 336): 02/21/21 13:54:18:427 tunnel statistics: send bytes(0) packets(0) errors(0) drops(0) queue-size(0), recv bytes(0) packets(0) errors(0) drops(0) queue-size(0)
(P4912-T7656)Debug( 338): 02/21/21 13:54:18:427 do_disconnect is called in VPN stop
(P4912-T7656)Debug( 709): 02/21/21 13:54:18:427 ipsec failed to start
(P4912-T7656)Info ( 102): 02/21/21 13:54:18:427 VPN is deleted
(P4912-T7656)Debug( 766): 02/21/21 13:54:18:427 IPSec fallback reason is IPSec connection failed
(P4912-T7656)Debug( 161): 02/21/21 13:54:18:427 disconnect-on-idle timeout is 10800
(P4912-T7656)Debug( 171): 02/21/21 13:54:18:427 VPN idle timeout is 10800; config timeout is 10800
(P4912-T7656)Debug( 219): 02/21/21 13:54:18:427 EnforceDns is enabled, set 2 GP pushed DNS servers
(P4912-T7656)Debug( 65): 02/21/21 13:54:18:427 Trying to do SSL connection to 178.153.34.106(443)
(P4912-T7656)Debug( 788): 02/21/21 13:54:18:427 SSL connecting to 178.153.34.106
(P4912-T7656)Debug( 487): 02/21/21 13:54:18:427 socket send buffer old size is 65536
(P4912-T7656)Debug( 511): 02/21/21 13:54:18:427 socket send buffer new size is 3145728
(P4912-T7656)Debug( 563): 02/21/21 13:54:18:435 Network is reachable
(P4912-T7656)Debug(1274): 02/21/21 13:54:18:471 Failed to X509_LOOKUP_load_file
(P4912-T7656)Debug( 374): 02/21/21 13:54:18:471 Open_SSL_connection: subject '/CN=deltacrp.dyndns.org'
(P4912-T7656)Debug( 378): 02/21/21 13:54:18:471 Open_SSL_connection: issuer '/CN=deltacrp.dyndns.org'
(P4912-T7656)Info ( 113): 02/21/21 13:54:18:479 Connected ssl tunnel to 178.153.34.106(443)
(P4912-T7656)Info ( 374): 02/21/21 13:54:18:479 tunnel to 178.153.34.106 connected
(P4912-T7656)Debug( 394): 02/21/21 13:54:18:666 PsvRegister done
(P4912-T7656)Debug( 25): 02/21/21 13:54:18:666 create thread 0xb70 with thread ID 14232
(P4912-T14232)Debug( 443): 02/21/21 13:54:18:667 VpnProcMonitor thread starts
(P4912-T14232)Debug( 507): 02/21/21 13:54:18:667 New ProcMon thread priority 2
(P4912-T7656)Debug(3027): 02/21/21 13:54:18:667 Gateway: deltacrp.dyndns.org, client IP: 172.22.18.32
(P4912-T7656)Debug( 115): 02/21/21 13:54:18:667 SPInit

MickBall · ‎03-01-2021

yes but IPSec is failing at some point.. this is what @dmifsud was telling you.

GlobalProtect will revert to SSL if IPSec fails.

(P4912-T7656)Info ( 221): 02/21/21 13:54:18:427 failed to receive keep alive

@Joshan_Lakhani could you confirm software version running on firewall.

Joshan_Lakhani · ‎03-01-2021

@MickBall

Global protect version is 5.2.5 version

MickBall · ‎03-01-2021

could you tell me the software version of the firewall]

dmifsud · ‎03-01-2021

@MickBall Based on past experience this is an "issue" in GP 5.2.5 (Which Joshan is using). I believe it is related to the improved error messages, so a lot of people are suddenly getting this warning thinking it's a new issue, but IPSec never likely worked in the first place.

Features Introduced in GlobalProtect App 5.2 (paloaltonetworks.com)

Improved Connectivity Error Messages for the GlobalProtect App

(GlobalProtect app 5.2.5 and later releases) To enable a better user experience, the GlobalProtect app is now updated to display improved connectivity error messages. With this change, the GlobalProtect app can now provide friendly, informative connectivity error messages to help end users resolve issues on their endpoint themselves to reduce support calls to their Help Desk professional.

- DM

MickBall · ‎03-01-2021

OK thanks for the information. i was not aware as just below that version..

i like the suggestion.. " to reduce support calls to their Help Desk professional".

this new popup will send our helpdesk phones into meltdown.... nice one Palo.

Joshan_Lakhani · ‎03-01-2021

@MickBall

Paloalto Version is 9.0.9h1

@dmifsud

I have check the security policy and it's created any any.

Moreover i take the pacp but not packet is hit on 4501 port. Can you please advise

MickBall · ‎03-01-2021

Do you have "Enable IPSec" selected as below.

if yes then your connection will first try IPSec on udp 4501. if at any time this fails then it will revert to SSL (443) and thats probably when you are getting the popup.

try pcap from the start of the connection,

dmifsud · ‎03-01-2021

@Joshan_Lakhani if it's now showing on the pcap that suggests it's failing before the firewall.

Check the local machine's firewall/other security software, and any other devices in between which could be preventing connectivity.

Also as a sanity check, have a look at the gateway settings and ensure IPSec mode is enabled.

Network Security

Cloud Security

Security Operations

Global protect Notification

Show your appreciation!