GlobalProtect commit fail on PAN-OS 7.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect commit fail on PAN-OS 7.0

L1 Bithead

help me please.

config ip pool for client access but commit fail

commit log message

Operation Commit
Result Failed

Detailsmissing ip pool from both dynamic ip pool and authentication server ip pool for config 'default' in gateway GP-Gateway (tunnel GP-Gateway-N)

(Module: rasmgr)

Commit failed

rasmgr log message


2015-07-10 17:52:29.746 +0700 rasmgr: rasmgr phase 1 started, config size 11700

2015-07-10 17:52:29.746 +0700 rasmgr: rasmgr phase 1 step 1 finished

2015-07-10 17:52:29.747 +0700 GP-Gateway-N

2015-07-10 17:52:29.747 +0700 Tunnel GW configuration:

2015-07-10 17:52:29.747 +0700   Tunnel Interface:tunnel.1

2015-07-10 17:52:29.747 +0700   Tunnel IP: 0.0.0.0

2015-07-10 17:52:29.747 +0700   DNS1: 0.0.0.0

2015-07-10 17:52:29.747 +0700   DNS2: 0.0.0.0

2015-07-10 17:52:29.747 +0700   DNS Suffix: tfg.co.th

2015-07-10 17:52:29.747 +0700   Egress Interface:ethernet1/11

2015-07-10 17:52:29.747 +0700   Accept Published Routes:0

2015-07-10 17:52:29.747 +0700   Anti-Replay:1

2015-07-10 17:52:29.747 +0700   Copy-TOS:0

2015-07-10 17:52:29.747 +0700   NATT enable:0

2015-07-10 17:52:29.747 +0700   Valid Networks:

2015-07-10 17:52:29.747 +0700   Tunnel Monitor:

2015-07-10 17:52:29.747 +0700     Action:0

2015-07-10 17:52:29.747 +0700     Interval:0

2015-07-10 17:52:29.747 +0700     Threshold:0

2015-07-10 17:52:29.747 +0700     Enable:0

2015-07-10 17:52:29.747 +0700     Src IP: 0.0.0.0

2015-07-10 17:52:29.747 +0700     Dest IP: 0.0.0.0

2015-07-10 17:52:29.747 +0700   IPSEc Crypto Profile:

2015-07-10 17:52:29.747 +0700     Lifetime:0

2015-07-10 17:52:29.747 +0700     Lifetime unit:0

2015-07-10 17:52:29.747 +0700     Lifetime secs:0

2015-07-10 17:52:29.747 +0700     Lifesize:0

2015-07-10 17:52:29.747 +0700     Lifesize unit:0

2015-07-10 17:52:29.747 +0700     Lifesize bytes:0

2015-07-10 17:52:29.747 +0700     DHGroup:

2015-07-10 17:52:29.747 +0700     Encr:

2015-07-10 17:52:29.747 +0700       aes-128-cbc

2015-07-10 17:52:29.747 +0700     Auth:

2015-07-10 17:52:29.747 +0700       sha1

2015-07-10 17:52:29.747 +0700 config 'conf1'

2015-07-10 17:52:29.747 +0700 string(any); transformed string(any)

2015-07-10 17:52:29.747 +0700 string(any); transformed string(any)

2015-07-10 17:52:29.747 +0700 config '(null)'

2015-07-10 17:52:29.747 +0700 string(any); transformed string(any)

2015-07-10 17:52:29.747 +0700 string(any); transformed string(any)

2015-07-10 17:52:29.748 +0700 Error:  sslvpn_parse_user_configs_ip_pool_exist(src/rasmgr_parse.c:1807): missing ip pool from both dynamic ip pool and authentication server ip pool for config 'default' in gateway GP-Gateway (tunnel GP-Gateway-N)

2015-07-10 17:52:29.748 +0700 rasmgr: rasmgr phase 1 step 2 finished

2015-07-10 17:52:29.748 +0700 rasmgr: rasmgr phase 1 finished with status -1

2015-07-10 17:52:33.299 +0700 rasmgr: marking phase 1 aborted

2015-07-10 17:52:33.304 +0700 Error:  cfgagent_modify_callback(pan_cfgagent.c:83): Modify string (sw.mgmt.runtime.clients.rasmgr.err) error: USER (1)

5 REPLIES 5

L5 Sessionator

Hi,

Can you check under GloblaProtect/Gateways/Client Configuration/Network settings, in your default profile and in Network Settings.

You should have IP Pool configured with range like 10.1.1.1-10.1.1.10.

If you check the "Retrieve Framed-IP-Address attribute from authentication server" the aim is to delegate IP config for VPN user to internal DHCP server. Do you use it ?

Does your config is ok ?


V.

Hi,

     under GloblaProtect/Gateways/Client Configuration/Network settings I config follow a image.

I try config ip pool to network range or network subnet. but it commit fail every.

T_T

Hi Dent,

Can you try this:

Check the 'Retrieve-Framed-IP-Address attribute from authentication server' box. This will then allow you to edit the authentication server IP pool. Delete the 192.168.168.0/24 pool that you have configured.

Then deselect the 'Retrieve-Framed-IP-Address attribute from authentication server' box and try committing again.

Let me know if this helps at all.

thanks,

Ben

L1 Bithead

I was searching the internet and found this post in Live community.

I too am getting the same error while configuring global protect. Any solution ???? 

@kunal_19,

Can you share your software version that you have on your firewall along with a screenshot of your network settings tab under client settings on the agent tab on the gateway configuration screen. 

  • 5137 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!