Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Global protect Notification

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect Notification

L4 Transporter

Hi,

 

When I connect global protect Gateway. Once is connected I received this notification.

I have check the internet connectivity it's working fine.

 

Can you please let me know how to avoid this notification 

 

Joshan_Lakhani_0-1614493398995.jpeg

 

22 REPLIES 22

L7 Applicator

Someone else had this issue (on ios) and was resolved by a client update.   It may be worth a look...

 

https://live.paloaltonetworks.com/t5/general-topics/globalprotect-ipad-vpn-app/td-p/381955

@Mick_Ball 

 

Thanks for you reply

 

As i  already upgrade the version from 5.1.7 to 5.2.5 version

 

My next step would be to check GP logs, pangps may help...

 

you can prevent popups in reg but probably best to find what causes the message.

 

show-system-tray-notifications yes | no

Dear @Mick_Ball 

 

When i run this command it's not working 

 

Joshan_Lakhani_0-1614512171993.jpeg

 

Please advise

 

Sorry for the confusion, that was not a command, that was a registry setting in hkey\local machine to block GP popups if you wanted to...

Dear @Mick_Ball 

 

Thanks for your reply

 

As we have big environment around 400 to 500 users. we are not able to do in each and every system.

is there is any other solution ?Please advise

 

I have no idea as i have never had this message and we have over 6k userbase.

 

does this happen for all users, do you have only 1 gateway...  have you checked the GP logs on the device with the popup and go through the pangps file.

L3 Networker

Hello,

 

This message means you have connected via SSL instead of IPsec, which is typically slower.

 

Check that you have a rule allowing the application ipsec-esp-udp and ensure that the client side / nothing else is blocking access to the gateway on UDP/4501

 

Check the traffic logs on the gateway for port 4501 to see if this is being denied on the firewall side (if you log everything anyway).

 

- DM

Sr. Technical Support Engineer, Strata

Dear @Mick_Ball @dmifsud 

 

Please find the Global protect Logs 

 

(P5096-T20276)Debug( 25): 03/01/21 09:09:19:601 create thread 0x774 with thread ID 2636
(P5096-T20276)Debug(2325): 03/01/21 09:09:19:601 Start FlushDNSCache thread 0x774
(P5096-T20276)Debug( 575): 03/01/21 09:09:19:601 Save route table snapshot...
(P5096-T20276)Debug( 780): 03/01/21 09:09:19:601 sslvpn connect() succeed
(P5096-T20276)Debug( 782): 03/01/21 09:09:19:601 Send notification of The network connection is unreliable and GlobalProtect reconnected using an alternate method. You may experience slowness when accessing the internet or business applications..
(P5096-T20276)Debug(1730): 03/01/21 09:09:19:603 Send response to client for request gateway-failed
(P5096-T20276)Debug(10891): 03/01/21 09:09:19:603 VPN tunnel is connected.
(P5096-T20276)Debug(10895): 03/01/21 09:09:19:603 Enable life time and create life time thread.
(P5096-T20276)Debug( 25): 03/01/21 09:09:19:603 create thread 0x7bc with thread ID 3624
(P5096-T20276)Debug(6849): 03/01/21 09:09:19:603 --Set state to Connected
(P5096-T3624)Debug(4317): 03/01/21 09:09:19:603 LifeTimeThread starts
(P5096-T20276)Debug(1142): 03/01/21 09:09:19:604 Display hip report V4 on the UI
(P5096-T20276)Debug(11159): 03/01/21 09:09:19:604 SetVpnStatus called with new status=1, Previous Status=0
(P5096-T20276)Debug(4161): 03/01/21 09:09:19:604 UpdatePrelogonStateForSSO() - User-logon tunnel state = Connected
(P5096-T20276)Debug(2660): 03/01/21 09:09:19:607 Tunnel is created with the gateway deltacrp.dyndns.org
(P5096-T20276)Debug(1605): 03/01/21 09:09:19:607 Refresh proxy

@dmifsud Do you know what version of PAN gives this message out?

 

@Joshan_Lakhani What version of PAN OS are you currently running.

 

I often see "switched to SSL" in user logs but still no popup for them.

 

 

@Mick_Ball 

 

As i troubleshoot further i found that all the user are connect via ssl VPN but we have configure the IPSEC vpn.

 

Global protect Version is 5.2.5

 

(P4912-T7656)Debug( 166): 02/21/21 13:54:12:406 Trying to do ipsec connection to 178.153.34.106[4501]
(P4912-T7656)Debug( 487): 02/21/21 13:54:12:406 socket send buffer old size is 65536
(P4912-T7656)Debug( 511): 02/21/21 13:54:12:406 socket send buffer new size is 3145728
(P4912-T7656)Debug( 563): 02/21/21 13:54:12:413 Network is reachable
(P4912-T7656)Info ( 178): 02/21/21 13:54:12:414 Connected to: 178.153.34.106[4501], Sending keep alive to ipsec socket...
(P4912-T7656)Info ( 221): 02/21/21 13:54:18:427 failed to receive keep alive
(P4912-T7656)Debug( 229): 02/21/21 13:54:18:427 IPSec anti-replay statistics: outside window count 0, replay count 0
(P4912-T7656)Debug( 231): 02/21/21 13:54:18:427 Disconnect udp socket
(P4912-T7656)Info ( 364): 02/21/21 13:54:18:427 Connecting to 178.153.34.106 failed
(P4912-T7656)Info ( 276): 02/21/21 13:54:18:427 Start vpn do_connect() failed
(P4912-T7656)Debug( 336): 02/21/21 13:54:18:427 tunnel statistics: send bytes(0) packets(0) errors(0) drops(0) queue-size(0), recv bytes(0) packets(0) errors(0) drops(0) queue-size(0)
(P4912-T7656)Debug( 338): 02/21/21 13:54:18:427 do_disconnect is called in VPN stop
(P4912-T7656)Debug( 709): 02/21/21 13:54:18:427 ipsec failed to start
(P4912-T7656)Info ( 102): 02/21/21 13:54:18:427 VPN is deleted
(P4912-T7656)Debug( 766): 02/21/21 13:54:18:427 IPSec fallback reason is IPSec connection failed
(P4912-T7656)Debug( 161): 02/21/21 13:54:18:427 disconnect-on-idle timeout is 10800
(P4912-T7656)Debug( 171): 02/21/21 13:54:18:427 VPN idle timeout is 10800; config timeout is 10800
(P4912-T7656)Debug( 219): 02/21/21 13:54:18:427 EnforceDns is enabled, set 2 GP pushed DNS servers
(P4912-T7656)Debug( 65): 02/21/21 13:54:18:427 Trying to do SSL connection to 178.153.34.106(443)
(P4912-T7656)Debug( 788): 02/21/21 13:54:18:427 SSL connecting to 178.153.34.106
(P4912-T7656)Debug( 487): 02/21/21 13:54:18:427 socket send buffer old size is 65536
(P4912-T7656)Debug( 511): 02/21/21 13:54:18:427 socket send buffer new size is 3145728
(P4912-T7656)Debug( 563): 02/21/21 13:54:18:435 Network is reachable
(P4912-T7656)Debug(1274): 02/21/21 13:54:18:471 Failed to X509_LOOKUP_load_file
(P4912-T7656)Debug( 374): 02/21/21 13:54:18:471 Open_SSL_connection: subject '/CN=deltacrp.dyndns.org'
(P4912-T7656)Debug( 378): 02/21/21 13:54:18:471 Open_SSL_connection: issuer '/CN=deltacrp.dyndns.org'
(P4912-T7656)Info ( 113): 02/21/21 13:54:18:479 Connected ssl tunnel to 178.153.34.106(443)
(P4912-T7656)Info ( 374): 02/21/21 13:54:18:479 tunnel to 178.153.34.106 connected
(P4912-T7656)Debug( 394): 02/21/21 13:54:18:666 PsvRegister done
(P4912-T7656)Debug( 25): 02/21/21 13:54:18:666 create thread 0xb70 with thread ID 14232
(P4912-T14232)Debug( 443): 02/21/21 13:54:18:667 VpnProcMonitor thread starts
(P4912-T14232)Debug( 507): 02/21/21 13:54:18:667 New ProcMon thread priority 2
(P4912-T7656)Debug(3027): 02/21/21 13:54:18:667 Gateway: deltacrp.dyndns.org, client IP: 172.22.18.32
(P4912-T7656)Debug( 115): 02/21/21 13:54:18:667 SPInit

yes but IPSec is failing at some point..  this is what @dmifsud was telling you.

GlobalProtect will revert to SSL if IPSec fails.

 

(P4912-T7656)Info ( 221): 02/21/21 13:54:18:427 failed to receive keep alive

 

 

@Joshan_Lakhani could you confirm software version running on firewall.

 

@Mick_Ball 

 

Global protect version is 5.2.5 version

could you tell me the software version of the firewall]

MickBall_0-1614591063544.jpeg

 

  • 9514 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!