Global Protect SSL error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect SSL error

L4 Transporter

Ok group I have a nice and simple question about trying to get GP up and running. Everything (I think) looks right, and configured, but I am not able to quite get my client connected to the Gateway

(T10944) 03/12/13 11:56:27:075 Debug( 742): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer exists. File is tca.cer

(T10944) 03/12/13 11:56:27:075 Debug( 340): set trusted root ca file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer

(T10944) 03/12/13 11:56:27:075 Debug(3645): connect ssl.

(T10944) 03/12/13 11:56:48:075 Debug( 179): Failed to connect to 207.96.178.67 on 443 (error: 10051)    <======

(T10944) 03/12/13 11:56:48:075 Error( 296): Server Error: Connect to 207.96.178.67:443 Failed

(T10944) 03/12/13 11:56:48:075 Error( 135): do_tcp_connect()

(T10944) 03/12/13 11:56:48:075 Error(3663): ConnectSSL: Failed to connect to '207.96.178.67:443'. Disconnect ssl.

(T10944) 03/12/13 11:56:48:075 Debug(3710): returns 0.



Ok... So what does error 10051 mean?  And how do I troubleshoot it further?  I have a single FW, using  2 Internet facing interfaces (one I used for Portal, other is for GW)

I have authenticated to the Portal and downloaded my agent software.  I have my configuration sent to "On Demand" and I when I attempt to connect these are the messages I have.


I have confirmed that I created a self-signed CA on my FW, and signed 3 certs (portal, GW, and agent)... still nothing....


Thoughts... HELP... Anything???  All will be appreciated. 


PA TAC.... if you have help, this would be most appreciated....


I think I am missing something very small.  (maybe.  :smileysilly:)



7 REPLIES 7

L3 Networker

Hi,

Following steps would help you in identifying the issue.

1) Confirm that the Common name on the certificate and the portal address address you are trying to reach from the client are the same

2) Confirm the gateway certificate common name and the gateway ip/fqdn in the client config under the portal config match.

3) Create an untrust to untrust zone allow rule, this will help you capture the sessions.

Run show session all filter destination-port 443 destination <ip>.

L4 Transporter

What does the 'Monitor' tab on the firewall say about this traffic?

Make sure you check "Log at session start" and check "Log at session end", just for the sake of troubleshooting

1) Common Name on Portal is the IP, and I can https:// into the Portal, put in username/password so I am passing this portion. 2) I have *just* changed my config so that my Portal AND my gateway are configured using only 1 outside IP (remember, my original plan was Portal and GW on 2 separate IP). I have my authentication in Portal set to local (eventually will do LDAP, and use certs, etc) but I am still troubleshooting. So I can get to my Portal, and authenticate, but I cannot get my VPN tunnel up, as I get the error. As for my rules, I do have a Internet (with my specific IP) to Internet Zone  ALLOWED at the top of my rulebase, with Log at Start enabled. I can see that my rule hitting for the Portal, and I see my rule hitting for attempting to communicate with my GW, but I get an Incomplete (so my handshake or similar is not working out)

Hi,

Your original post says you have two interfaces facing the internet. Which one is the the default gateway to internet ?

Do you have any destination NAT configured on the firewall ?

Howdy again.  I have my GP-GW interface (1/1) that is public facing, with static route to my ISP as my default route (or route of last resort).  My GP-Portal interface (1/4) is hosting the portal.  I wondered if some sort of asymmetric routing was going on, so I finally configured my GP-GW to be both Portal AND the Gateway.  I am using local authentication.  In troubleshooting this, it seems that trying to connect to my Portal, when configured on 1/4 works fine.  If I update my configuration (and all settings) to use my 1/1 interface as my Portal, I cannot even connect to my Portal.  So I am thinking it is something related to my 1/1 interface, which otherwise works 99% (1% is GP, which is not working.  :P)  If anyone ever wants to help directly troubleshoot this with me, i.e. remote connection to my desktop, etc., I would be more than happy to oblige.  Like I said, if knew what error 10051 meant, it would better explain how/why this is going on.

Hi,

Looks like it is a asymmetric routing issue. To get more clarity can you run the following commands in cli and attach the outputs.

show global-protect-gateway gateway name <g/w name>

show routing route

show interface all

show running pbf-policy

- Deepak

L3 Networker

It does not look like the error is related to certs imo... It seems like the GP agent cannot connect to the GP gateway IP on E1/1 after authenticating to the portal on E1/4 - there is no  asymmetrical  routing issue here. Seems like a sensible config since the portal only pushes down settings to the GP client and then "quits". The GP agent then decides which gateway to connect to based on the settings pushed down from the portal. Thus there cannot be a  asymmetrical  route issue since the portal and gateway are not linked in anyway. As you mentioned, changing the portal from E1/4 to E1/1 causes it to fail as well. How about trying to setup the GP portal and gateway on E1/4 as a test?

  • 6298 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!