- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-11-2017 06:42 AM
Hi,
Im facing issue with connecting to GP VPN, unfortunatly im the one who is having issue.
VPN works fine on other cmputer but having issue with my computer
below are the error msg i got during the VPN disconnect time
(T10836) 04/11/17 18:51:28:501 Debug( 980): VPN handle dhcp packet
(T10516) 04/11/17 18:51:46:676 Debug(1189): SSL3 alert write:fatal:bad record mac
(T10516) 04/11/17 18:51:46:676 Error( 840): SSL_read() failed: 1 -1 socket error 0. ntry is 0
(T10516) 04/11/17 18:51:46:676 Error( 811): VPN: Socket Failed to receive! ret = -1
(T10516) 04/11/17 18:51:46:676 Error(1126): ProcPackets, RecvFromSocket() failed
(T10516) 04/11/17 18:51:46:676 Error( 410): ProcPackets() failed, get out of ProcMonitor
(T10836) 04/11/17 18:51:46:676 Info ( 553): ProDrv: VPN disconnect event, get out of ProcDrv
(T10836) 04/11/17 18:51:46:676 Info ( 570): ProcDrv thread dies
(T10516) 04/11/17 18:51:46:676 Info ( 527): ProcDrv quit
(T10516) 04/11/17 18:51:46:676 Info ( 504): Before ProcMonitor quit, disconnect vpn
Can anybody know whats the issue and how to overcome from this?
Kindly help me.
Kotresha
04-17-2017 08:58 AM
We have seen an issue with SSL tunnel type in earlier versions of 7.0.
Can you check if IPsec is enabled on the Gateway configuration? If so, please check why we are not able to connect via IPsec.
Take pcaps, 1
source IP : your public IP
Destination IP : Firewall's public IP
and configure it in the reverse direction as well.
Or, upgrade the firewall to the latest 7.0.x code (7.0.14) and test.
04-11-2017 09:46 AM
Hi KotreshaMC,
Let us know the following.
What is the PAN OS and GP version?
What is the OS that you are running on the machine?
Are users connecting via SSL or IPsec tunnel?
Regards,
Anurag
04-11-2017 01:07 PM
If your getting a fatal:bad record mac then you have an issue as the error itself is completely fatal to the VPN communication process. This is caused by the first encrypted message has something wrong with it's crypto and immediately shows up as bad_record_mac. Just by the nature of VPN appliances this message is purposely cryptic and can be anything from failing integrity checks or for anything in the cryptographic layer.
I would first start to troubleshoot by uninstalling and reinstalling GP, it might help to take off any other VPN application you have installed as well as this could potentially cause issues as well.
04-12-2017 12:32 AM
I have reinstaled already but still fac
@BPry wrote:If your getting a fatal:bad record mac then you have an issue as the error itself is completely fatal to the VPN communication process. This is caused by the first encrypted message has something wrong with it's crypto and immediately shows up as bad_record_mac. Just by the nature of VPN appliances this message is purposely cryptic and can be anything from failing integrity checks or for anything in the cryptographic layer.
I would first start to troubleshoot by uninstalling and reinstalling GP, it might help to take off any other VPN application you have installed as well as this could potentially cause issues as well.
ing the same issue.
04-12-2017 12:34 AM - edited 04-13-2017 03:13 AM
PAN OS:7.1.3
GP version:3.1.5
Operating system: Windows 10 Pro
We are connecting over:IPSec tunnel
04-12-2017 10:13 PM
Can anybody help with this ?
04-17-2017 06:17 AM
Hi Kotresha,
Let's start by checking what's different for you, since it's only affecting you.
1) Is there any other portal configuration that you get, other than the rest of the users?
2) Although you mentioned the default method is IPsec, but please verify that you are indeed connecting via IPsec too. Once you are connected to the GP, check under Network->Gateway->Remote users(right side). See what the tunnel type column says.
2) What's the connect method - on-demand? pre-logon? etc.?
3) Have you tried your account from another machine?
4) Have you tried re-installing the client? (I'd suggest trying with 3.1.6)
5) Configure split-tunnelling, if you don't have it already. Send the private subnets traffic to firewall, send the internet traffic through your regular adapter. Run a continuous ping from cmd (ping -t 8.8.8.8). If you see the GP disconnecting, see if there is any ping drops.
Regards,
Anurag
04-17-2017 07:39 AM
1) Is there any other portal configuration that you get, other than the rest of the users?
Ans: No
2) Although you mentioned the default method is IPsec, but please verify that you are indeed connecting via IPsec too. Once you are connected to the GP, check under Network->Gateway->Remote users(right side). See what the tunnel type column says.
Ans: SSL
2) What's the connect method - on-demand? pre-logon? etc.?
Ans: On-demand (with RSA token)
3) Have you tried your account from another machine?
Ans: Yes, it worked fine
4) Have you tried re-installing the client? (I'd suggest trying with 3.1.6)
Ans: Yes i tried but not usefull
5) Configure split-tunnelling, if you don't have it already. Send the private subnets traffic to firewall, send the internet traffic through your regular adapter. Run a continuous ping from cmd (ping -t 8.8.8.8). If you see the GP disconnecting, see if there is any ping drops.
Ans: We have configured split-tunnel.
04-17-2017 08:58 AM
We have seen an issue with SSL tunnel type in earlier versions of 7.0.
Can you check if IPsec is enabled on the Gateway configuration? If so, please check why we are not able to connect via IPsec.
Take pcaps, 1
source IP : your public IP
Destination IP : Firewall's public IP
and configure it in the reverse direction as well.
Or, upgrade the firewall to the latest 7.0.x code (7.0.14) and test.
04-20-2017 02:05 AM - edited 04-20-2017 02:06 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!