Running PanOS 8.1.1 & GlobalProtect Agent 5.1.0 & connect method Pre-logon (Always On)
When connected and authenticated to my VPN from an external network - all is good. I can restart with a connection to my internal WiFi and my VPN connection shows Internal (because I have Internal Host Detection configured). If I then open the GP app and select Sign Out, my VPN client will then give me an error: No Network Connectivity and will not connect. Looking at the logs within the client, I see a "ConnectSSL: Failed to connect..." error. The only way to get connected to my VPN at this point is to connect and authentication using an external network.
As long as I don't Sign Out (and I know I can remove this button from end users) through the app, things work as expected going from public to internal to public networks. But I want to understand all possible scenarios and this is one I can't figure out. What is happening when Sign Out is selected and why does this cause the VPN client to think there is no network connectivity?
error log snippet
(T5116)Debug(6217): 02/28/20 11:18:22:221 Pre-login...,verifyportalcert=yes
(T5116)Debug(10082): 02/28/20 11:18:22:221 Check cert of server ***.***.***.***
(T5116)Debug( 777): 02/28/20 11:18:22:221 SSL connecting to ***.***.***.***
(T5116)Debug( 550): 02/28/20 11:18:22:236 Network is reachable
(T1660)Debug( 550): 02/28/20 11:18:24:190 Network is reachable
(T5116)Debug( 599): 02/28/20 11:18:27:143 Failed to connect to ***.***.***.*** on 443 with return value -1 and socket error 0(0)
(T5116)Debug( 781): 02/28/20 11:18:27:143 do_tcp_connect() failed
(T5116)Error(10128): 02/28/20 11:18:27:143 ConnectSSL: Failed to connect to '***.***.***.***:443'. Disconnect ssl.
(T5116)Debug(10141): 02/28/20 11:18:27:143 Cannot get server cert of ***.***.***.***
Can you actually get to your portal address from within your internal WiFi? A quick glance at your logs would indicate that your portal likely isn't reachable from your internal network? So when you are external and establish the connection things work as they should, and when you move internal the internal host detection is working as expected because that's a relatively simple check and doesn't require continued communication to the external gateway.
I would double check that you have things configured so that your internal network can actually access your portal address and that the connection to the portal actually works. My guess would be that you will find it doesn't.
8.1.1 is very early in 8.1's release and has exploitable security issues that you currently aren't patched for, so I would really recommend upgrading that.I also don't personally recommend 5.1.0 at this point and would usually stick to 5.0 for the time being.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!