Globalprotect disconnects

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Globalprotect disconnects

L1 Bithead

Weird one here,

 

I have many remote users, all over, experiencing no issues. But... I have one user which when the user connects, he successfully connects but as quick as he auth's, he gets disconnected. Reason "client logged out". In which he does not logout, his side just never connects.

 

+ HQ is in Nor Cal, user is in Florida

+ User only uses "ya I know" ATT Iphone to tether or starbucks/Applebees/ATT hotspots... yes... really

+ User was a network admin in 2000.... so you know what type of user I'm dealing with. 

5 REPLIES 5

L7 Applicator

Are you seeing “client logged out” on the PA system logs...

can you get this ex admin person (oh yes i know where your coming from....) to collect local logs and forward to you...

 

Then match the Pa client logoff with events on the loacal logs... it may give some pointers...

 

it could just be a bad install... can you not test yourself via simialr connections that he makes or invite user to test on someones home wifi that you know works well..

 

Perhaps also just check that the PA is not just showing client log off because of an existing session...

 

@k.truex,

Local client logs as @Mick_Ball mentioned are going to be your best friend here; get those and make sure that they aren't logging a more detailed reason why this user is having issues. If the local logs show fine I would have the user completely remove GP and then try with a clean install, something could have just gotten messed up a bit on the system. 

I hate to say it but most of my VPN users issues are unreliable ISP and internet  issues

L1 Bithead

A bit busy with IT chaos, but nothing changes... the logs dont lie.

 

Client side logs showed a different story, PAN side logs looked as if user was closing the connection "but super quick". Client side, something looked as if the cert chain is/or was broken. User? Desktop security? OS Updates? Who knows?

 

But...

 

User on the client side is kjetbd "knows just enough to be dangerous", and we pulled their pc. We're are pretty locked down on the machine side, but sometimes that breaks things. So I'll update with the outcome, here's what I was seeing.

 

 

(T9288) 10/04/18 15:40:51:561 Debug( 519): pManualGateways->RemoveAll()
(T9288) 10/04/18 15:40:51:561 Debug(1155): message did not contain gateway-list.
(T9832) 10/04/18 15:40:51:563 Debug(3374): OID is (null)
(T9832) 10/04/18 15:40:51:563 Debug( 403): force 1.2
(T9832) 10/04/18 15:40:51:563 Debug( 370): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T9832) 10/04/18 15:40:51:563 Debug( 440): REUSE, set context=0000000002C1F6C0
(T9832) 10/04/18 15:40:51:563 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CREATED, this=0000000002C1F6C0)
(T9832) 10/04/18 15:40:51:563 Debug( 479): REUSE, new session 0000000002C6F080, m_server=x.x.x.x, port=443
(T9832) 10/04/18 15:40:51:563 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CREATED, this=0000000002C1F6C0)
(T9832) 10/04/18 15:40:51:563 Debug( 622): setReceiveTimeOut, set time out to 30000 ms
(T9832) 10/04/18 15:40:51:563 Debug( 669): setConnectTimeOut, set time out to 30000 ms
(T9832) 10/04/18 15:40:51:563 Debug( 652): kerberos, set HTTP_OPTION_AUTOLOGON_POLICY success
(T9832) 10/04/18 15:40:51:563 Info (3472): winhttpObj->SendRequest, first try
(T9832) 10/04/18 15:40:51:563 Info (1365): winhttpObj, SendRequest, bIngoreClientCert=0
(T9832) 10/04/18 15:40:51:563 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RESOLVING_NAME, this=0000000002C1F6C0)
(T9832) 10/04/18 15:40:51:563 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_NAME_RESOLVED, this=0000000002C1F6C0)
(T9832) 10/04/18 15:40:51:563 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER, this=0000000002C1F6C0)
(T652) 10/04/18 15:40:51:636 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER, this=0000000002C1F6C0)
(T9832) 10/04/18 15:40:51:663 Debug(3848): send alive message now 3
(T9288) 10/04/18 15:40:51:663 Debug( 517): Command = <request><type>pan_msg_ping</type><result>3</result></request>
(T652) 10/04/18 15:40:51:970 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SECURE_FAILURE, this=0000000002C1F6C0)
(T652) 10/04/18 15:40:51:970 Info (2536): winhttpObj, dwCertError is:
(T652) 10/04/18 15:40:51:970 Info (2540): WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA
(T652) 10/04/18 15:40:51:970 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=0000000002C1F6C0)
(T652) 10/04/18 15:40:51:970 Debug(2604): WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=12175, result=5, dwCertificateError=8
(T9832) 10/04/18 15:40:52:063 Info (1433): winhttpObj, get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR
(T9832) 10/04/18 15:40:52:063 Info (1435): winhttpObj, ERROR_WINHTTP_SECURE_FAILURE set
(T9832) 10/04/18 15:40:52:063 Error(1460): error = ERROR_WINHTTP_SECURE_FAILURE
(T9832) 10/04/18 15:40:52:063 Debug( 887): Server x.x.x.x cert chain has been created.
(T9832) 10/04/18 15:40:52:063 Info ( 905): Server x.x.x.x cert verification result is 0x1010040
(T9832) 10/04/18 15:40:52:063 Debug( 908): No mechanism to check server x.x.x.xrevocation
(T9832) 10/04/18 15:40:52:063 Debug( 925): Check server certificate revocation returns TRUE
(T9832) 10/04/18 15:40:52:063 Debug(1020): The length of the serialized string is 1019.
(T9832) 10/04/18 15:40:52:063 Debug(1038): The encoded element has been serialized.
(T9832) 10/04/18 15:40:52:064 Debug(1056): SerializeServerCert(): wrote 1019 of 1019 bytes to file C:\Users\Administrator\AppData\Local\Palo Alto Networks\GlobalProtect\ServerCert.pan.
(T9832) 10/04/18 15:40:52:064 Debug(3665): return string CERT_ERROR=00000008
(T9832) 10/04/18 15:40:52:064 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING, this=0000000002C1F6C0)
(T9832) 10/04/18 15:40:52:064 Debug(2622): handle 02c1fbd0 closed
(T9832) 10/04/18 15:40:52:064 Debug(2626): REUSE, request closed
(T9832) 10/04/18 15:40:52:064 Info ( 575): wait for closing callback success!
(T9288) 10/04/18 15:40:52:064 Debug( 517): Command = <request><type>https_request</type><result>CERT_ERROR=00000008</result></request>
(T9288) 10/04/18 15:40:52:064 Debug( 959): status message received from the service:

nicely diagnosed.......

 

so...

 

+ User only uses "ya I know" ATT Iphone to tether or starbucks/Applebees/ATT hotspots... yes... really

+ User was a network admin in 2000.... so you know what type of user I'm dealing with. 

 

get your own back and suggest that he comes out of  starbucks and goes back in again...

 

if nobody gets that..... I'm doomed...

 

 

  • 6148 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!