06-26-2016 11:13 PM
We updated our GlobalProtect Client to version 3.0.2. Since we updated the client and the people are internal in HQ (so ne vpn needed) they get a popup message every 20 sec "Disconnected". They don't have this problem when they are outside HQ and the VPN tunnel has been setup. When they disable the notification and the computer gets restarted the problem is there again.
The disable notifcation has been reset and they get the popup message again over and over.
How to fix this?
06-28-2016 01:21 AM
I have mis understood your request previosly. Mybad!
I understand that, your global protect VPN is working fine from outside HQ.
But when the user come inside HQ, they are getting discnnect message.
It means the GP is trying to connect even inside HQ also.
So better try not to connect when internal.
You can use Global Protect Portal --> Agent configuration configiuration
Use internal host detection feature.
You have to give IP and host name of the pc/server which in in your internal host. So that GP will understand the user is
in Internal network and should not attempt to cobnect to VPN.
06-26-2016 11:19 PM
What is the PAN OS version running on the firewall. Seems there will be a dependency between firewall versions and GP versions.
Also collect logs from Global protect by enabling Debugging,
see during didiconnection what it says
06-26-2016 11:28 PM
We are using PAN-OS version 7.0.6.
This is the log:
retried for next round.
(T3772) 06/27/16 08:26:17:697 Error(2832): NetworkDiscoverThread: failed to discover internal network.
(T3772) 06/27/16 08:26:17:697 Debug(2854): Not checking case 3 or case 4.
(T3772) 06/27/16 08:26:17:697 Debug(3721): Set state to Disconnected
(T3772) 06/27/16 08:26:17:697 Debug(2946): NetworkDiscoverThread: m_nPortalStatus is 1, m_bHasLoggedOnGateway is 0
(T3772) 06/27/16 08:26:17:697 Debug(2962): Network discovery is not ready, set GP VPN status as disconnected
(T3772) 06/27/16 08:26:47:712 Debug(3003): NetworkDiscoverThread: Network discover is not successful. Retry.
(T3772) 06/27/16 08:26:47:712 Debug(3015): Retry network discovery for non-OnDemand mode.
(T3772) 06/27/16 08:26:47:712 Debug(2702): NetworkDiscoverThread: wait for network discover event.
(T3772) 06/27/16 08:26:47:712 Debug( 408): Set hip report quit event
(T3772) 06/27/16 08:26:47:712 Debug(2718): NetworkDiscoverThread: got network discover event.
(T3772) 06/27/16 08:26:47:712 Debug( 757): SetNextScheduledHipCheckTime to 0
(T3772) 06/27/16 08:26:47:712 Debug( 779): m_bScheduleFlag is set to 0
(T3772) 06/27/16 08:26:47:712 Debug(1542): IsDefaultRouteAvailable is 1
(T3772) 06/27/16 08:26:47:712 Debug(1550): Network is available
(T3772) 06/27/16 08:26:47:712 Debug(2730): finish check host reachable
(T3772) 06/27/16 08:26:47:712 Debug(2734): NetworkDiscover SN is 178
(T3772) 06/27/16 08:26:47:712 Debug(3721): Set state to Discovering network...
(T3772) 06/27/16 08:26:47:712 Debug(2742): Logout gateways before network discover...
(T3772) 06/27/16 08:26:47:712 Debug( 765): Logging out gateway, reason is Network discover
(T3772) 06/27/16 08:26:47:712 Debug( 787): Logging out gateway 0, 10.0.99.230
(T3772) 06/27/16 08:26:47:712 Debug(1407): CPanMSService::Logout(): Gateway 10.0.99.230 not log in yet.
(T3772) 06/27/16 08:26:47:712 Debug( 795): Logging out gateway over
(T3772) 06/27/16 08:26:47:712 Debug(1406): Auto detect proxy is not needed for host 10.0.99.230
(T3772) 06/27/16 08:26:47:712 Debug(1413): m_proxyInfo.dwAccessType is 0, m_proxyInfo.lpszProxy is (null)
(T3772) 06/27/16 08:26:47:712 Debug(1406): Auto detect proxy is not needed for host 82.143.64.92
(T3772) 06/27/16 08:26:47:712 Debug(1413): m_proxyInfo.dwAccessType is 0, m_proxyInfo.lpszProxy is (null)
(T3772) 06/27/16 08:26:47:712 Debug(2750): NetworkDiscoverThread: got network discover event.
(T3772) 06/27/16 08:26:47:712 Debug(1439): IP 10.1.0.3
(T3772) 06/27/16 08:26:47:712 Debug(1458): host dcbehq0001.wamo.local
(T3772) 06/27/16 08:26:47:712 Debug(1475): DnsQuery returns 0
(T3772) 06/27/16 08:26:47:712 Debug(1510): The host name is dcbehq0001.wamo.local
(T3772) 06/27/16 08:26:47:712 Debug(2804): NetworkDiscoverThread: network type is internal.
(T3772) 06/27/16 08:26:47:712 Debug(2809): NetworkDiscoverThread: Discover internal network.
(T3772) 06/27/16 08:26:47:712 Debug( 216): gateway count is 1.
(T3772) 06/27/16 08:26:47:712 Debug( 219): Connect timeout for internal network discovery is 5 seconds.
(T3772) 06/27/16 08:26:47:712 Info ( 200): Failed to find attribute 'max-internal-gateway-connection-attempts'
(T3772) 06/27/16 08:26:47:712 Debug(5545): Failed to get max-internal-gateway-connection-attempts from config, try local
(T3772) 06/27/16 08:26:47:712 Info ( 235): DiscoverInternal: max-internal-gateway-connection-attempts = 0, 1 gateway(s) to try to connect.
(T3772) 06/27/16 08:26:47:712 Info ( 248): DiscoverInternal: try to connect to gateway="IP".
(T3772) 06/27/16 08:26:47:712 Debug(1998): entering for gateway "IP".
(T3772) 06/27/16 08:26:47:712 Debug(1778): open http session.
(T3772) 06/27/16 08:26:47:712 Debug( 369): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T3772) 06/27/16 08:26:47:712 Debug(1406): Auto detect proxy is not needed for host "IP"
(T3772) 06/27/16 08:26:47:712 Debug(1413): m_proxyInfo.dwAccessType is 0, m_proxyInfo.lpszProxy is (null)
(T3772) 06/27/16 08:26:47:712 Debug( 75): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T3772) 06/27/16 08:26:47:712 Debug(1244): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer exists. File is tca.cer
(T3772) 06/27/16 08:26:47:712 Debug( 537): set trusted root ca file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T3772) 06/27/16 08:26:47:712 Debug( 75): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\cc.pfx
(T3772) 06/27/16 08:26:47:712 Info (1236): File C:\Program Files\Palo Alto Networks\GlobalProtect\cc.pfx does not exist.
(T3772) 06/27/16 08:26:47:712 Debug(2047): connect ssl.
(T3772) 06/27/16 08:26:47:712 Debug( 42): WSAGetLastError() returns 10035
(T3772) 06/27/16 08:26:47:728 Debug( 760): X509_verify_cert result is 1
(T3772) 06/27/16 08:26:47:728 Debug(2084): Internal gateway "IP"is authenticated.
(T3772) 06/27/16 08:26:47:728 Debug(2091): disconnect ssl.
(T3772) 06/27/16 08:26:47:728 Debug( 792): SSL3 alert write:warning:close notify
(T3772) 06/27/16 08:26:47:728 Debug(1812): GetClientIpForGateway "IP"
(T3772) 06/27/16 08:26:47:728 Info (1844): Gateway: "IP", client IP: 10.1.2.9
(T3772) 06/27/16 08:26:47:728 Debug(2851): Machine's device id is bec12aa0-4b83-4266-a435-4fb46f1adc02
(T3772) 06/27/16 08:26:47:728 Debug(2851): Machine's device id is bec12aa0-4b83-4266-a435-4fb46f1adc02
(T3772) 06/27/16 08:26:47:728 Debug(2851): Machine's device id is bec12aa0-4b83-4266-a435-4fb46f1adc02
(T3772) 06/27/16 08:26:47:728 Debug(2245): Pre-login gateway...
(T3772) 06/27/16 08:26:47:728 Debug(6377): Need to check gateway cert for 10.0.99.230
(T3772) 06/27/16 08:26:47:728 Debug(2205): gatewayitem0000000001906798 proxyparam is 00000000019087F8
(T3772) 06/27/16 08:26:47:728 Debug(2219): gateway proxyparam is empty
(T3772) 06/27/16 08:26:47:728 Debug(2257): OID, oid=
(T3772) 06/27/16 08:26:47:728 Debug(2301): IPADDR="IPé,PORT=443,URL=/ssl-vpn/prelogin.esp,POST=1,PROXY_AUTO=1,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=0,ADDITIONAL_CHECK=1,SCEP_CERT=,oid=
(T3772) 06/27/16 08:26:47:828 Debug( 872): Send response to client for request https_request
(T3772) 06/27/16 08:26:47:828 Debug(2331): gpapintimeout not set, set it to 600 seconds
(T3772) 06/27/16 08:26:47:928 Debug(2401): receive pan_msg_ping, 3
(T3772) 06/27/16 08:26:47:928 Debug(2469): winhttpObj, cert error, 00000010.
(T3772) 06/27/16 08:26:47:928 Debug(2474): winhttpObj, cert erro is 00000010
(T3772) 06/27/16 08:26:47:928 Debug(2559): HTTP_RPC, len=0, result is
(NULL)...
(T3772) 06/27/16 08:26:47:928 Debug(2374): Failed to pre-login to the gateway "IP"
(T3772) 06/27/16 08:26:47:928 Error(2137): Failed to retrieve info from gateway "IP".
(T3772) 06/27/16 08:26:47:928 Debug(1803): close WinHttp close handle.
(T3772) 06/27/16 08:26:47:928 Debug(2147): returns FALSE.
(T3772) 06/27/16 08:26:47:928 Debug( 274): DiscoverInternal: retry count remain=-1, 1 gateway(s) to be retried for next round.
(T3772) 06/27/16 08:26:47:928 Error(2832): NetworkDiscoverThread: failed to discover internal network.
(T3772) 06/27/16 08:26:47:928 Debug(2854): Not checking case 3 or case 4.
(T3772) 06/27/16 08:26:47:928 Debug(3721): Set state to Disconnected
(T3772) 06/27/16 08:26:47:928 Debug(2946): NetworkDiscoverThread: m_nPortalStatus is 1, m_bHasLoggedOnGateway is 0
(T3772) 06/27/16 08:26:47:928 Debug(2962): Network discovery is not ready, set GP VPN status as disconnected
06-28-2016 01:21 AM
I have mis understood your request previosly. Mybad!
I understand that, your global protect VPN is working fine from outside HQ.
But when the user come inside HQ, they are getting discnnect message.
It means the GP is trying to connect even inside HQ also.
So better try not to connect when internal.
You can use Global Protect Portal --> Agent configuration configiuration
Use internal host detection feature.
You have to give IP and host name of the pc/server which in in your internal host. So that GP will understand the user is
in Internal network and should not attempt to cobnect to VPN.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
