GlobalProtect Problem IOS 12.3.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect Problem IOS 12.3.1

L1 Bithead

Hello,

 

Recently some of my Iphone / Ipad devices running on IOS 12.3.1 can no longer connect via GlobalProtect (AppleStore Version: 5.0.7). On the other hand this same account works on a Win10 computer. Do you have an idea of ​​the problem met?

 

PAN firmware: 8.1.9

Error message: Could not connect to gateway. Please contact your IT administrator.

 

PS : I'm using a WildCard certificate and LDAP Authentication for GlobalProtect.

 

Can you help me solve this problem?

Thank's in advance.

5 REPLIES 5

Cyber Elite
Cyber Elite

@FlorianP,

Is it very specifically 12.3.1 or is it any iOS version?Might be a good idea to look at your portal agent configuration and verify that you don't have a configuration issue for your iOS agent configuration as well. 

@BPry 

 

Thanks for your Reply !

 

I'm not sure that's a configuration problem, many users are connected to GlobalProtect (Windows, IPhone, ...) with their own account but if they try to connect to GlobalProtect on an IOS 12.3.1's device the GP Application (GP 5.0.7)  show an error message: Could not connect to gateway. Please contact your IT administrator.

 

If i'm watching logs on Monitor --> System : GP Authentication seems successfull.


Capture.PNG

I have no OS restrict on my Portal and Gateway, and my HIP Profile is : Os contains Apple All.

 

Thanks

 

FlorianP

@FlorianP , Hi. did you ever resolve this issue as starting to cause similar issues for some of our IPhone users.

Hi @Mick_Ball,

 

Yes I resolved my problem.

After an upgrade to the new IOS 12.3.1 version (and later ?), I've got a problem with my GlobalProtect.

I solved it after changing the source Region to Any on the Portal Config.

 

Sans titre6.jpg

 

If you don't have the same problem, i suggest you to extract GlobalProtect log on your Iphone (you can send it to your mailbox).

 

I found my issue here :

P4295-T13319 Jul 26 11:18:40:98836 Debug( 513): Discover external gateway: gateway count is 1, cutoff time is 5

P4295-T13319 Jul 26 11:18:40:98864 Debug( 533): One external gateway gp.xxxx.com, priority=-2, manual is 0

P4295-T13319 Jul 26 11:18:40:98977 Debug(2683): Gateway: gp.xxxx.com, client IP: 10.X.X.X

P4295-T13319 Jul 26 11:18:40:99036 Debug( 569): One external gateway and it's priority is -2, region does not match

P4295-T13319 Jul 26 11:18:40:99068 Error(4537): NetworkDiscoverThread: failed to discover external network.

P4295-T13319 Jul 26 11:18:40:99103 Debug(5521): --Set state to Disconnected

 

Regards,

 

Florian P

 

 

Thanks for the reply,

Our source region is already set to "Any" so must be a different issue....

I have a case with TAC but here are my logs for the gateway failure.

---------------------------------------

P 367-T41987 Sep 03 16:00:14:410935 Debug( 550): Failed to connect to 46.xx.x.xx on 443 with return value -1 and socket error 36(Operation now in progress)

P 367-T41987 Sep 03 16:00:14:411145 Debug( 773): do_tcp_connect() failed

P 367-T41987 Sep 03 16:00:14:411214 Debug(2847): ConnectSSL: Failed to connect to 'wlapaip7.vpn.XXXXXX.uk:443'. Disconnect ssl.

P 367-T41987 Sep 03 16:00:14:411317 Debug(5438): Set perfer ipv6 to false for 46.16.6.21

P 367-T41987 Sep 03 16:00:14:411368 Debug(2874): Already tried ipv4

P 367-T41987 Sep 03 16:00:14:411416 Debug(1012): gateway wlapaip7.vpn.XXXXXX.uk has been processed: duration is -1ms, 5 gateway processed

----------------------------------

it will connect for IPads and Win7/10 but not iphone ios v12 but (it does sometimes which makes it more confusing)

 

I can see ssl handshake back and forth but then just stops.

nothing in palo system logs so really need some CLI help with ssl connect debug thingy stuff.

  • 6685 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!