Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GlobalProtect stops to connect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect stops to connect

L1 Bithead

Hi all,
GlobalProtect stopped to connect to server. 
So it works before ( I did not install any new software, firewals, proxies, .... etc) It contiue work under VirtualBox machine, so it is not a problem of my internet provider, but it stops to connect from my machine:
I can reach portal throgh browser (chrome), or curl on 443 port without problems.
I tried without success reboot, reinstall GlobalProtect, etc..
So any help very appreciated I don't want to reinstall whole system without understanding what problem is.

My logs (just XXXXed real portal url): 

(T11260) 07/30/17 12:25:58:494 Debug(6677): Saved password is empty.
(T8556) 07/30/17 12:25:58:494 Info ( 734): HipMonitorThread starts
(T11260) 07/30/17 12:25:58:494 Debug(1675): Pre-logon-then-on-demand value is no
(T11260) 07/30/17 12:25:58:494 Debug(1336): SSO starts.
(T11260) 07/30/17 12:25:58:494 Debug(1365): SSO ----- PanCredGet failed with error=0x2
(T11260) 07/30/17 12:25:58:494 Debug(6693): SSO password is empty
(T11260) 07/30/17 12:25:58:494 Debug(1760): empty domain name.
(T11260) 07/30/17 12:25:58:495 Debug(4326): Set state to Retrieving configuration...
(T8556) 07/30/17 12:25:58:495 Debug( 387): Wscapi.dll is loaded.
(T8556) 07/30/17 12:25:58:495 Debug( 401): Register -- WscRegisterForChanges
(T11260) 07/30/17 12:25:58:495 Debug(1289): unknown network type.
(T11260) 07/30/17 12:25:58:495 Debug(4614): ServerThread: ProcessServerPortal -- GetConfigFromPortal
(T7100) 07/30/17 12:25:58:495 Debug( 351): Active session id is 1
(T8556) 07/30/17 12:25:58:495 Info ( 403): HipMonitorThread wait for exit event.
(T8556) 07/30/17 12:25:58:495 Debug( 405): before WaitForMultipleObjects
(T11260) 07/30/17 12:25:58:495 Debug(5021): entering.
(T11260) 07/30/17 12:25:58:495 Debug(5057): SSO enable status is 0, user name is slogvine, domain name is .
(T11260) 07/30/17 12:25:58:495 Debug(5060): reset user authentication status to true.
(T11260) 07/30/17 12:25:58:495 Debug(1795): open http session.
(T11260) 07/30/17 12:25:58:496 Debug( 370): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T11260) 07/30/17 12:25:58:496 Debug(1398): Auto detect proxy for host XXXXXXXX
(T11260) 07/30/17 12:25:58:496 Debug(1411): CPanMSServiceWin::SetProxyForHost: fAutoDetect: 0 url: proxy: bypass:
url:https://XXXXXXXX/ returned proxystr:
(T11260) 07/30/17 12:25:58:496 Debug(1436): m_proxyInfo.dwAccessType is 0, m_proxyInfo.lpszProxy is (null)
(T11260) 07/30/17 12:25:58:496 Debug(7855): Scep clean
(T11260) 07/30/17 12:25:58:496 Debug(7857): Clean m_pScepCert
(T11260) 07/30/17 12:25:58:496 Debug(3194): Clean m_szScepCertPanName
(T11260) 07/30/17 12:25:58:496 Debug(2997): TriggerCaptivePortalDetection() end
(T8568) 07/30/17 12:25:58:496 Debug(3094): CaptivePortalDetectionThread: delay 2 seconds before captive portal detection. m_bIsDetectingCaptivePortal=1, m_bPreLoginIsDone = 0
(T8568) 07/30/17 12:25:58:496 Debug(3072): CaptivePortalDetectionThread: wait (2000 ms) for captive portal detection event.
(T11260) 07/30/17 12:25:58:497 Debug(4381): Pre-login...,verifyportalcert=yes
(T11260) 07/30/17 12:25:58:497 Debug( 76): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T11260) 07/30/17 12:25:58:497 Info (1259): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T11260) 07/30/17 12:25:58:497 Debug(7000): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T11260) 07/30/17 12:25:58:497 Debug(7037): CheckServerCert() returns FALSE
(T11260) 07/30/17 12:25:58:497 Debug(2328): portal proxyparam is empty
(T11260) 07/30/17 12:25:58:497 Debug(2350): OID, oid=
(T11260) 07/30/17 12:25:58:497 Debug(2394): IPADDR=XXXXXXXX,PORT=443,URL=/global-protect/prelogin.esp,POST=1,PROXY_AUTO=0,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=1,ADDITIONAL_CHECK=1,SCEP_CERT=,oid=
(T11260) 07/30/17 12:25:58:497 Debug( 910): Send response to client for request https_request
(T11260) 07/30/17 12:25:58:497 Debug(2424): gpapintimeout not set, set it to 600 seconds
(T7100) 07/30/17 12:25:58:497 Debug( 274): Found PanGPA pid 6596
(T7100) 07/30/17 12:25:58:497 Debug( 278): Found active PanGPA pid is 6596
(T7100) 07/30/17 12:25:58:497 Debug( 55): Session id is 1 for pid 6596
(T7100) 07/30/17 12:25:58:497 Debug( 95): User profile directory is C:\Users\Lenovo-PC
(T7100) 07/30/17 12:25:58:497 Debug( 110): Found session 1
(T7100) 07/30/17 12:25:58:497 Debug( 140): Skip calling NetUserGetInfo for non-roaming profile.
(T7100) 07/30/17 12:25:58:497 Debug( 153): info4_buf is NULL
(T7100) 07/30/17 12:25:58:497 Debug( 155): profileInfo username Lenovo-PC, profile path (null), server (null)
(T7100) 07/30/17 12:25:58:587 Debug( 169): User profile loaded.
(T7100) 07/30/17 12:25:58:587 Debug( 185): Impersonated logged on user.
(T7100) 07/30/17 12:25:58:587 Debug( 187): Profile type is 0
(T7100) 07/30/17 12:25:58:588 Debug( 239): User profile unloaded
(T7100) 07/30/17 12:25:58:588 Debug( 76): pan_get_full_path(): full path in multibyte char is C:\WINDOWS\system32\config\systemprofile\AppData\Local\Palo Alto Networks\GlobalProtect\PanGpMPR.dat
(T11260) 07/30/17 12:25:58:613 Debug(2494): receive pan_msg_ping, 3
(T11260) 07/30/17 12:26:00:300 Debug(2494): receive pan_msg_ping, 3
(T8568) 07/30/17 12:26:00:501 Debug( 56): pan_captive_portal_detection: remote server address= 0xE12D9AC
(T8568) 07/30/17 12:26:00:501 Debug( 47): WSAGetLastError() returns 10035
(T11260) 07/30/17 12:26:00:522 Debug(2659): HTTP_RPC, len=0, result is
(NULL)...
(T11260) 07/30/17 12:26:00:522 Debug(4418): prelogin to portal result is
(null)
(T11260) 07/30/17 12:26:00:522 Debug(4574): Failed to pre-login to the portal XXXXXXXX. Error 0
(T11260) 07/30/17 12:26:00:522 Debug(1820): close WinHttp close handle.
(T11260) 07/30/17 12:26:00:522 Info (6175): Portal config does not exist, try registry/plist
(T11260) 07/30/17 12:26:00:522 Debug(6185): Failed to get version from config, try local
(T11260) 07/30/17 12:26:00:522 Info (5188): failed to retrieve value of the tag version.
(T11260) 07/30/17 12:26:00:522 Info (5228): Skip reading cached portal config.
(T11260) 07/30/17 12:26:00:522 Debug(7509): No scep profile
(T11260) 07/30/17 12:26:00:522 Debug(5241): portal status is Invalid portal.
(T11260) 07/30/17 12:26:00:522 Debug(5242): returns 0.
(T11260) 07/30/17 12:26:00:522 Debug(4326): Set state to Disconnected
(T11260) 07/30/17 12:26:00:522 Debug(1289): unknown network type.
(T11260) 07/30/17 12:26:00:522 Debug( 910): Send response to client for request portal
(T11260) 07/30/17 12:26:00:522 Debug(7269): Set m_bPreviousSwitchOffMsg to 0
(T8568) 07/30/17 12:26:00:638 Debug( 152): pan_http_captive_portal_detection: status is 204
(T8568) 07/30/17 12:26:00:638 Debug(3014): DetectCaptivePortal: captive portal is not detected for CP server index = 0. iStatus = 204
(T8568) 07/30/17 12:26:00:701 Debug( 56): pan_captive_portal_detection: remote server address= 0xC937FD11
(T8568) 07/30/17 12:26:00:701 Debug( 47): WSAGetLastError() returns 10035
(T8568) 07/30/17 12:26:00:885 Debug( 152): pan_http_captive_portal_detection: status is 200
(T8568) 07/30/17 12:26:00:885 Debug( 185): pan_http_captive_portal_detection(): head start=657, end=685.
(T8568) 07/30/17 12:26:00:885 Debug( 197): pan_http_captive_portal_detection() - captive portal isn't detected against server.
(T8568) 07/30/17 12:26:00:885 Debug(3014): DetectCaptivePortal: captive portal is not detected for CP server index = 1. iStatus = 200
(T8568) 07/30/17 12:26:00:885 Debug(3165): CaptivePortalDetectionThread: Didn't detect captive portal currently, and bCaptivePortalDetectedOnce=(0).
(T8568) 07/30/17 12:26:00:885 Debug(3072): CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.

28 REPLIES 28

L4 Transporter

Hi @Udineverisch

 

T11260) 07/30/17 12:26:00:522 Debug(4418): prelogin to portal result is
(null)
(T11260) 07/30/17 12:26:00:522 Debug(4574): Failed to pre-login to the portal XXXXXXXX. Error 0

This indicates that the GP client couldn't even connect to the portal. Not much detail is present here. As a test, can you browse to the https page of the portal and login there? Also, share PanGPA.log for attempt from the GP client.

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

I already wrote that it is acceptable using browser or curl. I tried site at all and pre-login action. I did not find any problems with firewall or proxy. I completelly switched off windows firewall and I don't have antivirus installed. 
Any help to understand what problem could be very appreciated. I don't want to reinstall OS.
Thanks

PanGPA logs: 

= Windows 10 Pro
(T10748) 07/31/17 07:53:36:701 Debug( 358): COSVersion::OSProductName - fetch OS productName successful = Windows 10 Pro
(T10748) 07/31/17 07:53:36:701 Debug( 125): Skip calling GetProductInfo for Windows 10
(T12224) 07/31/17 07:53:36:756 Debug(2501): gbCheckInsertSmardCard is false, quit the enum loop
(T13576) 07/31/17 07:53:37:030 Debug(2475): enum result is 0000000000000000
(T13576) 07/31/17 07:53:37:030 Debug(2501): gbCheckInsertSmardCard is false, quit the enum loop
(T10748) 07/31/17 07:54:42:576 Debug( 73): CTranslate: dwSidLen is 24
(T10748) 07/31/17 07:54:42:614 Debug(3703): CPanClient::GetSavedPasswdAttribute - cannot resolve binarry item.
(T10892) 07/31/17 07:54:42:614 Debug( 517): Command = <request><type>user_credential</type><user>slogvine</user><passwd>***********</passwd><pid>10744</pid><restart>true</restart><portal>XXXXXXXX</portal><checkupdate>no</checkupdate><allow-cached-portal>no</allow-cached-portal><remember-me>yes</remember-me><manual-select-gateway-ip></manual-select-gateway-ip><portal-certificate-verification>yes</portal-certificate-verification><win-user>Lenovo-PC</win-user><pre-logon-then-on-demand>no</pre-logon-then-on-demand><user-profile-type>0</user-profile-type><saved-user></saved-user><saved-passwd></saved-passwd><portal-2fa>no</portal-2fa></request>
(T10748) 07/31/17 07:54:42:614 Debug( 435): CPanGASetting:OnBnClickedSave - resend credentials
(T10748) 07/31/17 07:54:42:614 Debug( 358): COSVersion::OSProductName - fetch OS productName successful = Windows 10 Pro
(T10748) 07/31/17 07:54:42:614 Debug( 358): COSVersion::OSProductName - fetch OS productName successful = Windows 10 Pro
(T10748) 07/31/17 07:54:42:614 Debug( 125): Skip calling GetProductInfo for Windows 10
(T10748) 07/31/17 07:54:42:744 Debug( 959): status message received from the service:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<type>status</type>
<status>Disconnected</status>
<protocol/>
<portal-config-version>0</portal-config-version>
<error/>
<product-version>3.1.4-7</product-version>
<product-code>&quot;{6AC613AB-3F53-424B-BED2-570C7869F30F}&quot;</product-code>
<portal-status>Invalid portal</portal-status>
<user-name>slogvine</user-name>
<state>Retrieving configuration...</state>
<check-version>no</check-version>
<mdm-is-enabled>no</mdm-is-enabled>
</response>

(T10748) 07/31/17 07:54:42:744 Debug( 519): pManualGateways->RemoveAll()
(T10748) 07/31/17 07:54:42:791 Debug( 358): COSVersion::OSProductName - fetch OS productName successful = Windows 10 Pro
(T10748) 07/31/17 07:54:42:791 Debug( 358): COSVersion::OSProductName - fetch OS productName successful = Windows 10 Pro
(T10748) 07/31/17 07:54:42:791 Debug( 125): Skip calling GetProductInfo for Windows 10
(T9604) 07/31/17 07:54:42:791 Debug(3374): OID is (null)
(T9604) 07/31/17 07:54:42:791 Debug( 407): not force 1.2
(T9604) 07/31/17 07:54:42:791 Debug( 440): REUSE, set context=000002D6B7CD91F0
(T9604) 07/31/17 07:54:42:791 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CREATED, this=000002D6B7CD91F0)
(T9604) 07/31/17 07:54:42:791 Debug( 479): REUSE, new session 000002D6B7D52D50, m_server=XXXXXXXX, port=443
(T9604) 07/31/17 07:54:42:791 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CREATED, this=000002D6B7CD91F0)
(T9604) 07/31/17 07:54:42:791 Debug( 622): setReceiveTimeOut, set time out to 30000 ms
(T9604) 07/31/17 07:54:42:791 Debug( 669): setConnectTimeOut, set time out to 30000 ms
(T9604) 07/31/17 07:54:42:791 Debug( 652): kerberos, set HTTP_OPTION_AUTOLOGON_POLICY success
(T9604) 07/31/17 07:54:42:791 Info (3472): winhttpObj->SendRequest, first try
(T9604) 07/31/17 07:54:42:791 Info (1365): winhttpObj, SendRequest, bIngoreClientCert=0
(T9604) 07/31/17 07:54:42:791 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RESOLVING_NAME, this=000002D6B7CD91F0)
(T12220) 07/31/17 07:54:42:791 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_NAME_RESOLVED, this=000002D6B7CD91F0)
(T12220) 07/31/17 07:54:42:791 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER, this=000002D6B7CD91F0)
(T9604) 07/31/17 07:54:42:907 Debug(3848): send alive message now 3
(T10748) 07/31/17 07:54:42:907 Debug( 517): Command = <request><type>pan_msg_ping</type><result>3</result></request>
(T12220) 07/31/17 07:54:43:544 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER, this=000002D6B7CD91F0)
(T5000) 07/31/17 07:54:44:061 Debug(2475): enum result is 0000000000000000
(T12220) 07/31/17 07:54:44:472 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SECURE_FAILURE, this=000002D6B7CD91F0)
(T12220) 07/31/17 07:54:44:472 Info (2536): winhttpObj, dwCertError is:
(T12220) 07/31/17 07:54:44:472 Info (2542): WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR
(T12220) 07/31/17 07:54:44:472 Debug(2549): do not force 1.2 now
(T12220) 07/31/17 07:54:44:472 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=000002D6B7CD91F0)
(T12220) 07/31/17 07:54:44:472 Debug(2604): WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=12175, result=5, dwCertificateError=-2147483648
(T12220) 07/31/17 07:54:44:472 Debug(3888): we get cert error, so remove previousCertificate
(T9604) 07/31/17 07:54:44:532 Info (1433): winhttpObj, get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR
(T9604) 07/31/17 07:54:44:532 Info (1435): winhttpObj, ERROR_WINHTTP_SECURE_FAILURE set
(T9604) 07/31/17 07:54:44:532 Error(1460): error = ERROR_WINHTTP_SECURE_FAILURE
(T9604) 07/31/17 07:54:44:532 Info ( 856): Server cert query failed with error 12019, ERROR_WINHTTP_INCORRECT_HANDLE_STATE
(T9604) 07/31/17 07:54:44:532 Info (1009): Server cert query failed with error 12019
(T9604) 07/31/17 07:54:44:532 Debug(3502): do not enforce 1.2, retry it now
(T9604) 07/31/17 07:54:44:532 Info (1365): winhttpObj, SendRequest, bIngoreClientCert=0
(T9604) 07/31/17 07:54:44:532 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RESOLVING_NAME, this=000002D6B7CD91F0)
(T9604) 07/31/17 07:54:44:532 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_NAME_RESOLVED, this=000002D6B7CD91F0)
(T9604) 07/31/17 07:54:44:532 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER, this=000002D6B7CD91F0)
(T5000) 07/31/17 07:54:44:579 Debug(2501): gbCheckInsertSmardCard is false, quit the enum loop
(T12744) 07/31/17 07:54:44:632 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER, this=000002D6B7CD91F0)
(T9604) 07/31/17 07:54:44:648 Debug(3848): send alive message now 3
(T10748) 07/31/17 07:54:44:648 Debug( 517): Command = <request><type>pan_msg_ping</type><result>3</result></request>
(T12744) 07/31/17 07:54:44:748 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SECURE_FAILURE, this=000002D6B7CD91F0)
(T12744) 07/31/17 07:54:44:748 Info (2536): winhttpObj, dwCertError is:
(T12744) 07/31/17 07:54:44:748 Info (2542): WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR
(T12744) 07/31/17 07:54:44:748 Debug(2549): do not force 1.2 now
(T12744) 07/31/17 07:54:44:748 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=000002D6B7CD91F0)
(T12744) 07/31/17 07:54:44:748 Debug(2604): WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=12175, result=5, dwCertificateError=-2147483648
(T12744) 07/31/17 07:54:44:748 Debug(3888): we get cert error, so remove previousCertificate
(T9604) 07/31/17 07:54:44:763 Info (1433): winhttpObj, get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR
(T9604) 07/31/17 07:54:44:763 Info (1435): winhttpObj, ERROR_WINHTTP_SECURE_FAILURE set
(T9604) 07/31/17 07:54:44:763 Error(1460): error = ERROR_WINHTTP_SECURE_FAILURE
(T9604) 07/31/17 07:54:44:763 Info ( 856): Server cert query failed with error 12019, ERROR_WINHTTP_INCORRECT_HANDLE_STATE
(T9604) 07/31/17 07:54:44:763 Info (1009): Server cert query failed with error 12019
(T9604) 07/31/17 07:54:44:763 Error(3650): winhttpObj, error! ipaddress XXXXXXXX
bRetryWithoutCert is 0, bClientCertNeeded=0
(T9604) 07/31/17 07:54:44:763 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING, this=000002D6B7CD91F0)
(T9604) 07/31/17 07:54:44:763 Debug(2622): handle b43f7250 closed
(T9604) 07/31/17 07:54:44:763 Debug(2626): REUSE, request closed
(T9604) 07/31/17 07:54:44:763 Info ( 575): wait for closing callback success!
(T10748) 07/31/17 07:54:44:763 Debug( 517): Command = <request><type>https_request</type><result>NULL</result></request>
(T10748) 07/31/17 07:54:44:763 Debug( 959): status message received from the service:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<type>status</type>
<status>Disconnected</status>
<protocol/>
<portal-config-version>0</portal-config-version>
<error/>
<product-version>3.1.4-7</product-version>
<product-code>&quot;{6AC613AB-3F53-424B-BED2-570C7869F30F}&quot;</product-code>
<portal-status>Invalid portal</portal-status>
<user-name>slogvine</user-name>
<state>Disconnected</state>
<check-version>no</check-version>
<mdm-is-enabled>no</mdm-is-enabled>
</response>

(T10748) 07/31/17 07:54:44:763 Debug( 519): pManualGateways->RemoveAll()
(T10748) 07/31/17 07:54:44:763 Debug(1145): HandlePortal - portal messsage with Invalid portal status received. m_nAuthTries = 1
(T10748) 07/31/17 07:54:44:763 Debug( 961): message type from the service = portal
(T10748) 07/31/17 07:54:44:763 Debug( 963): received message details:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<type>portal</type>
<status>Disconnected</status>
<protocol/>
<portal-config-version>0</portal-config-version>
<error/>
<product-version>3.1.4-7</product-version>
<product-code>&quot;{6AC613AB-3F53-424B-BED2-570C7869F30F}&quot;</product-code>
<portal-status>Invalid portal</portal-status>
<user-name>slogvine</user-name>
<state>Disconnected</state>
<check-version>no</check-version>
<mdm-is-enabled>no</mdm-is-enabled>
</response>

(T10748) 07/31/17 07:54:44:763 Debug( 519): pManualGateways->RemoveAll()
(T10748) 07/31/17 07:54:44:763 Debug( 358): COSVersion::OSProductName - fetch OS productName successful = Windows 10 Pro
(T10748) 07/31/17 07:54:44:763 Debug( 358): COSVersion::OSProductName - fetch OS productName successful = Windows 10 Pro
(T10748) 07/31/17 07:54:44:763 Debug( 125): Skip calling GetProductInfo for Windows 10
(T10748) 07/31/17 07:54:44:813 Debug( 358): COSVersion::OSProductName - fetch OS productName successful = Windows 10 Pro
(T10748) 07/31/17 07:54:44:813 Debug( 358): COSVersion::OSProductName - fetch OS productName successful = Windows 10 Pro
(T10748) 07/31/17 07:54:44:813 Debug( 125): Skip calling GetProductInfo for Windows 10
(T13972) 07/31/17 07:54:45:149 Debug(2475): enum result is 0000000000000000
(T13972) 07/31/17 07:54:45:149 Debug(2501): gbCheckInsertSmardCard is false, quit the enum loop

Is the portal and gateway on the same firewall and IP address? 

Is there a problem with the certificates on your portal/gateway (revoked, expired, missing root cert on your computer, 

...)?

(T12744) 07/31/17 07:54:44:748 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SECURE_FAILURE, this=000002D6B7CD91F0)
(T12744) 07/31/17 07:54:44:748 Info (2536): winhttpObj, dwCertError is:
(T12744) 07/31/17 07:54:44:748 Info (2542): WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR
(T12744) 07/31/17 07:54:44:748 Debug(2549): do not force 1.2 now
(T12744) 07/31/17 07:54:44:748 Info (2523): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=000002D6B7CD91F0)

Something's not right with the certificates used. Make sure the certificate used in the portal's SSL-TLS profile is not using RSASSA-PSS as the algorithm. That is not supported.

 

Regards,
Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

I have been having the same issue.

 

the portal will connect

 

But I have 6 laptops 2 work no problem, the others have this issue but will connect to the internal gateway, if I remove credentials they will not connect to the portal, but if I kill the process they will connect to the internal gateway.

 

 

 

how do i check RSASSA-PSS ?

 

My TLS profile for the portal is tls1.1 -> tls1.1

Open the certificate presented by the portal. Go to the details tab and then check the Signature Algorithm. This is where RSA SSA-PSA would be, if the certificate is using it. I doubt it though, in your case, as 2 machines are able to connect. We'd need to check the GP agent logs to figure out what's going on.
================================================================
ACE 7.0, 8.0, PCNSE 7

H

 

Bit more info 

 

On my laptop - one of the ones not working.  I can uninstall GP.  I make sure  i have a cert in my machine cert store.

I browse to gp portal and login and download client and install gp.

 

it runs and I login and it attachs me to the internal network.

 

when i open the gp client panel it says 

your device cannot connect to Global Protect due to a network issue.

 

But status say internal ... If I move to a internet hot spot it fails completely.

 

If I clear the cached credentials it fails, I can reboot that will re connect me to the internal gateway or I can kill the process and it till restart and then connect to internal.

 

The portal doesn't need a client cert to access, but the ext & int gateways do. I can browse to all the urls'

 

below is the output from logs from the trouble shoorting panel 

 

I turned it on debug and went to the home tab and pressed connect

 

(T6136) 08/02/17 10:44:28:142 Debug(1990): open http session.
(T6136) 08/02/17 10:44:28:142 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T6136) 08/02/17 10:44:28:142 Debug(1470): Auto detect proxy for host gp.somecompany.com
(T6136) 08/02/17 10:44:28:142 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T6136) 08/02/17 10:44:28:142 Debug( 101): Proxy auto detect timeout 60 seconds
(T6136) 08/02/17 10:44:28:142 Debug( 105): dwAveTimeout 19666 ms
(T6136) 08/02/17 10:44:28:142 Debug( 133): Auto detect proxy
(T6136) 08/02/17 10:44:28:143 Debug(1487): CPanMSServiceWin::SetProxyForHost: fAutoDetect: 1 url: proxy: bypass:
url:https://gp.somecompany.com/ returned proxystr:
(T6136) 08/02/17 10:44:28:143 Debug(1512): m_proxyInfo.dwAccessType is 1, m_proxyInfo.lpszProxy is (null)
(T6136) 08/02/17 10:44:28:143 Debug(8448): Scep clean
(T6136) 08/02/17 10:44:28:143 Debug(8450): Clean m_pScepCert
(T6136) 08/02/17 10:44:28:143 Debug(3392): Clean m_szScepCertPanName
(T6136) 08/02/17 10:44:28:143 Debug(3284): TriggerCaptivePortalDetection() end
(T6136) 08/02/17 10:44:28:143 Debug( 408): Found ipv4 default route
(T6136) 08/02/17 10:44:28:143 Debug(4689): Pre-login...,verifyportalcert=yes
(T6136) 08/02/17 10:44:28:143 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T16652) 08/02/17 10:44:28:143 Debug(3381): CaptivePortalDetectionThread: delay 2 seconds before captive portal detection. m_bIsDetectingCaptivePortal=1, m_bPreLoginIsDone = 0
(T16652) 08/02/17 10:44:28:143 Debug(3359): CaptivePortalDetectionThread: wait (2000 ms) for captive portal detection event.
(T6136) 08/02/17 10:44:28:143 Info (1331): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T6136) 08/02/17 10:44:28:143 Debug(7582): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T6136) 08/02/17 10:44:28:144 Debug( 408): Found ipv4 default route
(T6136) 08/02/17 10:44:28:144 Debug( 48): WSAGetLastError() returns 10035
(T4124) 08/02/17 10:44:28:145 Debug( 274): Found PanGPA pid 14104
(T4124) 08/02/17 10:44:28:145 Debug( 278): Found active PanGPA pid is 14104
(T4124) 08/02/17 10:44:28:145 Debug( 55): Session id is 1 for pid 14104
(T4124) 08/02/17 10:44:28:146 Debug( 95): User profile directory is C:\Users\alex.samad
(T4124) 08/02/17 10:44:28:146 Debug( 110): Found session 1
(T4124) 08/02/17 10:44:28:146 Debug( 140): Skip calling NetUserGetInfo for non-roaming profile.
(T4124) 08/02/17 10:44:28:146 Debug( 153): info4_buf is NULL
(T4124) 08/02/17 10:44:28:146 Debug( 155): profileInfo username alexander.samad, profile path (null), server (null)
(T6136) 08/02/17 10:44:28:155 Error(1128): Failed to X509_LOOKUP_load_file
(T6136) 08/02/17 10:44:28:155 Debug( 296): Open_SSL_connection: subject '/O=somecompany Pty Limited/OU=PA/CN=gp.somecompany.com'
(T6136) 08/02/17 10:44:28:155 Debug( 300): Open_SSL_connection: issuer '/C=AU/O=somecompany Pty Limited/OU=PA/CN=vdcPAGlobalProtectCA'
(T6136) 08/02/17 10:44:28:155 Debug( 731): StandardizeIpv6Format host=gp.somecompany.com
(T6136) 08/02/17 10:44:28:155 Debug( 793): standardized name is gp.somecompany.com
(T6136) 08/02/17 10:44:28:155 Debug( 731): StandardizeIpv6Format host=gp.somecompany.com
(T6136) 08/02/17 10:44:28:155 Debug( 821): standardized common name is gp.somecompany.com
(T6136) 08/02/17 10:44:28:155 Debug( 942): Check domain name gp.somecompany.com versus CN anme gp.somecompany.com
(T6136) 08/02/17 10:44:28:155 Debug( 905): Cert gp.somecompany.com name check succeeded
(T6136) 08/02/17 10:44:28:155 Debug(1197): SSL3 alert write:warning:close notify
(T6136) 08/02/17 10:44:28:155 Debug(7631): CheckServerCert() returns 4098
(T6136) 08/02/17 10:44:28:155 Debug( 865): PrepareRequest...
(T6136) 08/02/17 10:44:28:155 Debug( 873): WinHttpOpenRequest...
(T6136) 08/02/17 10:44:28:155 Debug( 441): CPanHTTPSession::PostRequest: WinHttpSendRequest...
(T6136) 08/02/17 10:44:28:160 Debug( 892): error code=12186(00002f9a)
(T6136) 08/02/17 10:44:28:160 Error(1000): PostRequest failed with error code 12186.
(T6136) 08/02/17 10:44:28:160 Debug(4776): prelogin to portal result is
(null)
(T6136) 08/02/17 10:44:28:160 Debug(4986): Failed to pre-login to the portal gp.somecompany.com. Error 12186
(T6136) 08/02/17 10:44:28:160 Debug(2015): close WinHttp close handle.
(T6136) 08/02/17 10:44:28:160 Debug(5685): Failed to get portal config from portal gp.somecompany.com.(T6136) 08/02/17 10:44:28:160 Debug(5710): Try to restore last portal config from file.
(T6136) 08/02/17 10:44:28:160 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanSCEP_cdfe1622cca3ee8d2a6773ab562f42b.cer
(T6136) 08/02/17 10:44:28:160 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanSCEP_cdfe1622cca3ee8d2a6773ab562f42b.pfx
(T6136) 08/02/17 10:44:28:160 Debug(1339): File C:\Users\alex.samad\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg_cdfe1622cca3ee8d2a6773ab562f42b.dat exists. File is PanPortalCfg_cdfe1622cca3ee8d2a6773ab562f42b.dat
(T6136) 08/02/17 10:44:28:160 Debug( 73): CTranslate: dwSidLen is 24
(T6136) 08/02/17 10:44:28:161 Debug( 464): pan_read_text_from_file(): File is successfully decrypted. File: C:\Users\alex.samad\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg_cdfe1622cca3ee8d2a6773ab562f42b.dat
(T6136) 08/02/17 10:44:28:161 Debug(5720): last portal config is restored from file C:\Users\alex.samad\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg_cdfe1622cca3ee8d2a6773ab562f42b.dat.
(T6136) 08/02/17 10:44:28:161 Debug(9322): REGION-PRIO, cached region code is 10.0.0.0-10.255.255.255
(T6136) 08/02/17 10:44:28:161 Debug( 202): 5 OTP options exist in portal configuration.
(T6136) 08/02/17 10:44:28:161 Debug( 587): Collect hip data is true
(T6136) 08/02/17 10:44:28:161 Debug( 63): VPN event pre-vpn-connect does not exist.
(T6136) 08/02/17 10:44:28:161 Debug( 63): VPN event post-vpn-connect does not exist.
(T6136) 08/02/17 10:44:28:161 Debug( 63): VPN event pre-vpn-disconnect does not exist.
(T6136) 08/02/17 10:44:28:162 Debug( 674): No third party vpn clients defined
(T6136) 08/02/17 10:44:28:162 Debug( 73): No <host> or <ip-address> in internal-host-detection
(T6136) 08/02/17 10:44:28:162 Debug( 776): REGION-PRIO, gateway 0(pa1-vpn-gateway), 0, region = Any, priority = 1, portalRegion=10.0.0.0-10.255.255.255
(T6136) 08/02/17 10:44:28:162 Debug( 363): REGION-PRIO, after search for exact region match, i=1, m_nRegions=1
(T6136) 08/02/17 10:44:28:162 Debug( 367): REGION-PRIO, no exact match, search for ANY
(T6136) 08/02/17 10:44:28:162 Debug( 370): REGION-PRIO, found ANY, priority=1
(T6136) 08/02/17 10:44:28:162 Debug( 406): REGION-PRIO, regioncode=10.0.0.0-10.255.255.255, return priority 1, bManual=1
(T6136) 08/02/17 10:44:28:162 Debug( 776): REGION-PRIO, gateway 1(pa2-vpn-gateway), 0, region = Any, priority = 1, portalRegion=10.0.0.0-10.255.255.255
(T6136) 08/02/17 10:44:28:162 Debug( 363): REGION-PRIO, after search for exact region match, i=1, m_nRegions=1
(T6136) 08/02/17 10:44:28:162 Debug( 367): REGION-PRIO, no exact match, search for ANY
(T6136) 08/02/17 10:44:28:162 Debug( 370): REGION-PRIO, found ANY, priority=1
(T6136) 08/02/17 10:44:28:162 Debug( 406): REGION-PRIO, regioncode=10.0.0.0-10.255.255.255, return priority 1, bManual=1
(T6136) 08/02/17 10:44:28:162 Debug( 818): No DHCP option list defined
(T6136) 08/02/17 10:44:28:162 Debug( 900): Optional client-cert does not exist
(T6136) 08/02/17 10:44:28:162 Debug( 936): Optional root-ca does not exist
(T6136) 08/02/17 10:44:28:162 Debug( 73): CTranslate: dwSidLen is 24
(T6136) 08/02/17 10:44:28:162 Debug( 213): pan_write_text_to_file(): don't check pre-existance.
(T6136) 08/02/17 10:44:28:165 Debug( 218): pan_write_text_to_file(): wrote 7888 of 7888 bytes to file C:\Users\alex.samad\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg_cdfe1622cca3ee8d2a6773ab562f42b.dat.
(T6136) 08/02/17 10:44:28:165 Debug( 64): Saved portal config to file C:\Users\alex.samad\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg_cdfe1622cca3ee8d2a6773ab562f42b.dat.
(T6136) 08/02/17 10:44:28:165 Debug(1450): Proxy auto detect is needed
(T6136) 08/02/17 10:44:28:165 Debug(6632): RefreshPortalConfig is yes, RefreshPortalConfigInterval is 24
(T6136) 08/02/17 10:44:28:165 Debug(8551): OID, new box
(T6136) 08/02/17 10:44:28:165 Debug(8559): OID, m_OID is
(T6136) 08/02/17 10:44:28:165 Debug(8561): OID, get from dynamic config is
(T6136) 08/02/17 10:44:28:165 Debug(8567): kerberos, dynamic config value is yes
(T6136) 08/02/17 10:44:28:167 Info ( 232): Failed to find attribute 'mdm-address'
(T6136) 08/02/17 10:44:28:167 Debug(6742): Failed to get mdm-address from config, try local
(T6136) 08/02/17 10:44:28:167 Debug(7801): Set mdm address as empty
(T6136) 08/02/17 10:44:28:167 Debug(6661): MDM is disabled
(T6136) 08/02/17 10:44:28:167 Info ( 232): Failed to find attribute 'scep-profile-name'
(T6136) 08/02/17 10:44:28:167 Debug(6669): Scep certificate renew period is 7 days. Scep cert auth cookie length is 57
(T6136) 08/02/17 10:44:28:167 Debug(6680): Otp portal 0, otp internal gateway 0, otp auto external gateway 0, otp manual only external gateway 0
(T6136) 08/02/17 10:44:28:167 Debug(6685): Prefer ipv6 is 1 after processing portal configuration.
(T6136) 08/02/17 10:44:28:167 Debug(8102): No scep profile
(T6136) 08/02/17 10:44:28:167 Debug(5730): this version of portal config is supported.
(T6136) 08/02/17 10:44:28:167 Debug(5702): portal status is Using cached portal config.
(T6136) 08/02/17 10:44:28:167 Debug(5703): returns 1.
(T4124) 08/02/17 10:44:28:169 Debug( 169): User profile loaded.
(T4124) 08/02/17 10:44:28:169 Debug( 185): Impersonated logged on user.
(T4124) 08/02/17 10:44:28:169 Debug( 187): Profile type is 0
(T6136) 08/02/17 10:44:28:170 Debug(5124): Reload Agent Reg Config.
(T6136) 08/02/17 10:44:28:170 Debug(1761): AlwaysOn,remove rules
(T6136) 08/02/17 10:44:28:170 Debug( 225): AlwaysOn,Opening Filtering Engine
(T4124) 08/02/17 10:44:28:171 Debug( 239): User profile unloaded
(T4124) 08/02/17 10:44:28:171 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Windows\system32\config\systemprofile\AppData\Local\Palo Alto Networks\GlobalProtect\PanGpMPR.dat
(T4124) 08/02/17 10:44:28:171 Debug( 438): HipMissingPatchThread: now is 1501634668, last hip check is 1501634659, hip check interval is 3600000
(T4124) 08/02/17 10:44:28:171 Debug( 443): HipMissingPatchThread: wait 3591000 ms
(T6136) 08/02/17 10:44:28:363 Debug(1682): AlwaysOn,Always On, 2482 entries found in filter objects
(T6136) 08/02/17 10:44:28:363 Debug(1708): AlwaysOn,796
(T6136) 08/02/17 10:44:28:363 Debug(5156): Reset temprorarily saved gateway user.
(T6136) 08/02/17 10:44:28:363 Debug(6401): entering ExportTrustedCA.
(T6136) 08/02/17 10:44:28:363 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T6136) 08/02/17 10:44:28:363 Info (1331): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T6136) 08/02/17 10:44:28:363 Info (6420): Optional tag root-ca does not exist.
(T6136) 08/02/17 10:44:28:363 Debug(5174): ExportedMTU trusted CA.
(T6136) 08/02/17 10:44:28:363 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\cc.cer
(T6136) 08/02/17 10:44:28:363 Info (1331): File C:\Program Files\Palo Alto Networks\GlobalProtect\cc.cer does not exist.
(T6136) 08/02/17 10:44:28:363 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\cc.pfx
(T6136) 08/02/17 10:44:28:363 Info (1331): File C:\Program Files\Palo Alto Networks\GlobalProtect\cc.pfx does not exist.
(T6136) 08/02/17 10:44:28:363 Debug(6505): returns true.
(T6136) 08/02/17 10:44:28:363 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\cc.pfx
(T6136) 08/02/17 10:44:28:364 Debug( 73): CTranslate: dwSidLen is 24
(T6136) 08/02/17 10:44:28:364 Info ( 199): EVP_DecryptFinal_ex failed
(T6136) 08/02/17 10:44:28:364 Info ( 634): pan_get_password failed.
(T6136) 08/02/17 10:44:28:364 Error(2214): failed to retrieve client certificate passphrase. return false.
(T6136) 08/02/17 10:44:28:364 Error(5176): Failed to export client cert.
(T6136) 08/02/17 10:44:28:364 Debug(5178): NetworkDiscoverThread: Exported client cert.
(T6136) 08/02/17 10:44:28:364 Debug(5182): ServerThread: ProcessServerPortal -- GetHipPolicyCopy();
(T6136) 08/02/17 10:44:28:364 Debug(5848): enters GetPolicyForClient().
(T6136) 08/02/17 10:44:28:364 Info ( 232): Failed to find attribute 'pre-logon-then-on-demand'
(T6136) 08/02/17 10:44:28:364 Debug(6742): Failed to get pre-logon-then-on-demand from config, try local
(T6136) 08/02/17 10:44:28:364 Info (5922): Connect method is user-logon
(T6136) 08/02/17 10:44:28:364 Info (5933): On-demand mode is false.
(T6136) 08/02/17 10:44:28:364 Debug(6858): Old Portal is gp.somecompany.com, PrelogonEnabled is 0
(T6136) 08/02/17 10:44:28:364 Debug( 73): CTranslate: dwSidLen is 24
(T6136) 08/02/17 10:44:28:364 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\HipPolicy.dat
(T6136) 08/02/17 10:44:28:364 Debug( 213): pan_write_text_to_file(): don't check pre-existance.
(T6136) 08/02/17 10:44:28:366 Debug( 218): pan_write_text_to_file(): wrote 528 of 528 bytes to file C:\Program Files\Palo Alto Networks\GlobalProtect\HipPolicy.dat.
(T6136) 08/02/17 10:44:28:366 Debug( 469): Saved hip policy to file HipPolicy.dat.
(T6136) 08/02/17 10:44:28:366 Debug(5964): RetrieveHipCheckInterval
(T6136) 08/02/17 10:44:28:366 Info (5966): Hip check interval is 3600000 ms.
(T6136) 08/02/17 10:44:28:366 Debug(5970): Set check hip event
(T6136) 08/02/17 10:44:28:366 Debug( 784): m_bScheduleFlag is set to 0
(T6136) 08/02/17 10:44:28:366 Debug( 292): Set hip check event.
(T6136) 08/02/17 10:44:28:366 Debug(5972): Set hip missing patch check event.
(T6136) 08/02/17 10:44:28:366 Info ( 232): Failed to find attribute 'userauthcookie'
(T6136) 08/02/17 10:44:28:366 Debug(6742): Failed to get userauthcookie from config, try local
(T6136) 08/02/17 10:44:28:366 Info (6005): No tag userauthcookie exists in portal config.
(T6136) 08/02/17 10:44:28:366 Debug(1356): Serialize non-empty cookie for portal gp.somecompany.com and user alex.samad
(T6136) 08/02/17 10:44:28:366 Debug(5486): Portal user auth cookie file name is C:\Users\alex.samad\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_cdfe1622cca3ee8d2a6773ab562f42b.dat
(T4124) 08/02/17 10:44:28:366 Debug( 448): HipMissingPatchThread: Got CheckHipMissingPatchEvent.
(T4124) 08/02/17 10:44:28:366 Debug( 377): CheckHipMissingPatchInOtherProcess()
(T4124) 08/02/17 10:44:28:366 Debug( 380): Need to check missing patch.
(T1264) 08/02/17 10:44:28:366 Info ( 230): HipCheckThread: got check hip event or time out.
(T1264) 08/02/17 10:44:28:366 Debug( 239): HipCheckThread: Got CheckHipEvent.
(T1264) 08/02/17 10:44:28:366 Debug( 762): SetNextScheduledHipCheckTime to 1501638268
(T1264) 08/02/17 10:44:28:366 Debug( 260): Last hip check event wakeup tick is 1501634668
(T1264) 08/02/17 10:44:28:366 Debug( 262): HipCheckThread: check hip in other process.
(T1264) 08/02/17 10:44:28:366 Debug( 301): CheckHipInOtherProcess()
(T1264) 08/02/17 10:44:28:366 Debug( 305): Need to collect hip data
(T4124) 08/02/17 10:44:28:366 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe
(T4124) 08/02/17 10:44:28:366 Debug( 301): CheckHipMissingPatchInOtherProcess(): Starting process PanGpHipMp.exe
(T1264) 08/02/17 10:44:28:366 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.exe
(T1264) 08/02/17 10:44:28:366 Debug( 125): Starting process PanGpHip.exe
(T6136) 08/02/17 10:44:28:366 Debug( 73): CTranslate: dwSidLen is 24
(T6136) 08/02/17 10:44:28:366 Debug(1398): Portal user auth cookie has been encrypted.
(T6136) 08/02/17 10:44:28:367 Debug(1403): Serialized portal user auth cookie to file C:\Users\alex.samad\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_cdfe1622cca3ee8d2a6773ab562f42b.dat. 384 bytes.
(T6136) 08/02/17 10:44:28:367 Debug(1239): Serialize non-empty cookie for portal gp.somecompany.com and pre-logon user
(T6136) 08/02/17 10:44:28:367 Debug(5459): Portal prelogon auth cookie file name is PanPPAC_31c07d44f2aa0c426d615b45a17435.dat
(T6136) 08/02/17 10:44:28:367 Debug( 73): CTranslate: dwSidLen is 24
(T6136) 08/02/17 10:44:28:367 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanPPAC_31c07d44f2aa0c426d615b45a17435.dat
(T6136) 08/02/17 10:44:28:367 Debug( 213): pan_write_text_to_file(): don't check pre-existance.
(T1264) 08/02/17 10:44:28:369 Debug( 142): Wait for the ready event of hip report generated in other process.
(T6136) 08/02/17 10:44:28:369 Debug( 218): pan_write_text_to_file(): wrote 368 of 368 bytes to file C:\Program Files\Palo Alto Networks\GlobalProtect\PanPPAC_31c07d44f2aa0c426d615b45a17435.dat.
(T6136) 08/02/17 10:44:28:369 Debug(1246): SerializePortalPrelogonAuthCookie
(T6136) 08/02/17 10:44:28:369 Debug(6031): Retrieved pre-logon-tunnel-rename-timeout value -1
(T6136) 08/02/17 10:44:28:369 Debug(6039): Retrieved user-switch-tunnel-rename-timeout value 0
(T6136) 08/02/17 10:44:28:369 Debug(6055): The value of can-continue-if-portal-cert-invalid is yes
(T6136) 08/02/17 10:44:28:369 Debug(6067): returns true.
(T6136) 08/02/17 10:44:28:369 Debug(5200): prelogon status is 0
(T6136) 08/02/17 10:44:28:369 Debug(5205): Gateway MD5 is 67B3D2C2-588F0E7B-4EA0E304-5AEE632B
(T6136) 08/02/17 10:44:28:369 Debug(5207): m_bPreviousSwitchOffMsg is 0
(T6136) 08/02/17 10:44:28:369 Debug(5318): Previous message is not switch-off
(T6136) 08/02/17 10:44:28:369 Debug(5323): Gateway MD5 is 67B3D2C2-588F0E7B-4EA0E304-5AEE632B
(T6136) 08/02/17 10:44:28:369 Debug(5324): ServerThread: ProcessServerPortal -- SetEvent(m_hNetworkDiscoverEvent);
(T6136) 08/02/17 10:44:28:369 Debug(5356): ServerThread: ProcessServerPortal -- return SendResponseToClient(socket, PAN_SERVER_HIP);
(T17360) 08/02/17 10:44:28:369 Debug( 448): Set hip report quit event
(T17360) 08/02/17 10:44:28:369 Debug(3551): NetworkDiscoverThread: got network discover event.
(T17360) 08/02/17 10:44:28:369 Debug( 762): SetNextScheduledHipCheckTime to 0
(T17360) 08/02/17 10:44:28:369 Debug( 784): m_bScheduleFlag is set to 0
(T17360) 08/02/17 10:44:28:369 Debug( 408): Found ipv4 default route
(T17360) 08/02/17 10:44:28:369 Debug(1756): IsDefaultRouteAvailable is 1
(T17360) 08/02/17 10:44:28:369 Debug(1764): Network is available
(T17360) 08/02/17 10:44:28:369 Debug(3562): finish check host reachable
(T17360) 08/02/17 10:44:28:369 Debug(3279): TriggerCaptivePortalDetection() return due to captive portal detection is in progress (1) or PreLogin is Done (0)
(T6136) 08/02/17 10:44:28:369 Debug(1024): Send response to client for request hip
(T17360) 08/02/17 10:44:28:370 Debug(3587): NetworkDiscover SN is 11643
(T6136) 08/02/17 10:44:28:370 Debug(7863): Set m_bPreviousSwitchOffMsg to 0
(T17360) 08/02/17 10:44:28:370 Debug(4629): Set state to Discovering network...
(T17360) 08/02/17 10:44:28:370 Debug(1549): unknown network type.
(T17360) 08/02/17 10:44:28:370 Debug(3595): Logout gateways before network discover...
(T17360) 08/02/17 10:44:28:370 Debug(1083): Logging out gateway, reason is Network discover
(T17360) 08/02/17 10:44:28:370 Debug(1113): Logging out gateway over
(T17360) 08/02/17 10:44:28:370 Debug(9260): RetrieveClientIpByRemoteHost 10.172.202.1
(T17360) 08/02/17 10:44:28:370 Info (9278): RemoteHost: 10.172.202.1, client IP: 10.172.208.119
(T17360) 08/02/17 10:44:28:370 Error(9193): GetClientIpForGateway(): invalid remote host: .
(T17360) 08/02/17 10:44:28:370 Error( 178): CPanGatewayList::SelectInternalGateways() - failed to retrieve client source ipv6!
(T17360) 08/02/17 10:44:28:370 Debug( 333): Couldn't find match of client ip in the source ip list!
(T17360) 08/02/17 10:44:28:370 Debug(4256): Skip setting gateway pa3-vpn-gateway.somecompany.com's ipv6 remote host ip address
(T17360) 08/02/17 10:44:28:370 Debug(1470): Auto detect proxy for host pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:370 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T17360) 08/02/17 10:44:28:370 Debug( 101): Proxy auto detect timeout 60 seconds
(T17360) 08/02/17 10:44:28:370 Debug( 105): dwAveTimeout 19666 ms
(T17360) 08/02/17 10:44:28:370 Debug( 133): Auto detect proxy
(T17360) 08/02/17 10:44:28:373 Debug(1487): CPanMSServiceWin::SetProxyForHost: fAutoDetect: 1 url: proxy: bypass:
url:https://pa3-vpn-gateway.somecompany.com/ returned proxystr:
(T17360) 08/02/17 10:44:28:373 Debug(1512): m_proxyInfo.dwAccessType is 1, m_proxyInfo.lpszProxy is (null)
(T17360) 08/02/17 10:44:28:374 Debug(4322): Gateway pa3-vpn-gateway.somecompany.com's ipv4 address 10.172.202.1
(T17360) 08/02/17 10:44:28:374 Debug(4405): Change m_bUseIpv6 to false
(T17360) 08/02/17 10:44:28:374 Debug(4416): Gateway pa3-vpn-gateway.somecompany.com is FQDN
(T17360) 08/02/17 10:44:28:374 Debug(4256): Skip setting gateway pa1-vpn-gateway.somecompany.com's ipv6 remote host ip address
(T17360) 08/02/17 10:44:28:374 Debug(1470): Auto detect proxy for host pa1-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:374 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T17360) 08/02/17 10:44:28:374 Debug( 101): Proxy auto detect timeout 60 seconds
(T17360) 08/02/17 10:44:28:374 Debug( 105): dwAveTimeout 19666 ms
(T17360) 08/02/17 10:44:28:374 Debug( 133): Auto detect proxy
(T17360) 08/02/17 10:44:28:378 Debug(1487): CPanMSServiceWin::SetProxyForHost: fAutoDetect: 1 url: proxy: bypass:
url:https://pa1-vpn-gateway.somecompany.com/ returned proxystr:
(T17360) 08/02/17 10:44:28:378 Debug(1512): m_proxyInfo.dwAccessType is 1, m_proxyInfo.lpszProxy is (null)
(T17360) 08/02/17 10:44:28:379 Debug(4322): Gateway pa1-vpn-gateway.somecompany.com's ipv4 address 103.232.31.200
(T17360) 08/02/17 10:44:28:379 Debug(4405): Change m_bUseIpv6 to false
(T17360) 08/02/17 10:44:28:379 Debug(4416): Gateway pa1-vpn-gateway.somecompany.com is FQDN
(T17360) 08/02/17 10:44:28:379 Debug(4256): Skip setting gateway pa2-vpn-gateway.somecompany.com's ipv6 remote host ip address
(T17360) 08/02/17 10:44:28:379 Debug(1470): Auto detect proxy for host pa2-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:379 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T17360) 08/02/17 10:44:28:379 Debug( 101): Proxy auto detect timeout 60 seconds
(T17360) 08/02/17 10:44:28:379 Debug( 105): dwAveTimeout 19666 ms
(T17360) 08/02/17 10:44:28:379 Debug( 133): Auto detect proxy
(T17360) 08/02/17 10:44:28:379 Debug(1487): CPanMSServiceWin::SetProxyForHost: fAutoDetect: 1 url: proxy: bypass:
url:https://pa2-vpn-gateway.somecompany.com/ returned proxystr:


(T17360) 08/02/17 10:44:28:379 Debug(1512): m_proxyInfo.dwAccessType is 1, m_proxyInfo.lpszProxy is (null)
(T17360) 08/02/17 10:44:28:380 Debug(4322): Gateway pa2-vpn-gateway.somecompany.com's ipv4 address 103.232.31.201
(T17360) 08/02/17 10:44:28:380 Debug(4405): Change m_bUseIpv6 to false
(T17360) 08/02/17 10:44:28:380 Debug(4416): Gateway pa2-vpn-gateway.somecompany.com is FQDN
(T17360) 08/02/17 10:44:28:380 Debug(3603): NetworkDiscoverThread: got network discover event.
(T17360) 08/02/17 10:44:28:380 Debug(3614): Set network discover in progress
(T17360) 08/02/17 10:44:28:380 Debug(9364): GetNetworkTypeDS
(T17360) 08/02/17 10:44:28:380 Debug(9367): No ipv6 internal host detection.
(T17360) 08/02/17 10:44:28:380 Debug(1652): IP 10.172.202.1
(T17360) 08/02/17 10:44:28:380 Debug(1671): host ybopa-guest.somecompany.com
(T17360) 08/02/17 10:44:28:380 Debug(1688): DnsQuery returns 0
(T17360) 08/02/17 10:44:28:380 Debug(1723): The host name is ybopa-guest.somecompany.com
(T17360) 08/02/17 10:44:28:380 Debug(4629): Set state to Discovery complete
(T17360) 08/02/17 10:44:28:380 Debug(7644): SetVpnStatus called with new status=1, Previous Status=0
(T17360) 08/02/17 10:44:28:380 Debug(3670): NetworkDiscoverThread: network type is internal.
(T17360) 08/02/17 10:44:28:380 Debug(3676): NetworkDiscoverThread: Discover internal network.
(T17360) 08/02/17 10:44:28:380 Debug( 351): gateway count is 1.
(T17360) 08/02/17 10:44:28:380 Debug( 354): Connect timeout for internal network discovery is 5 seconds.
(T17360) 08/02/17 10:44:28:380 Info ( 370): DiscoverInternal: max-internal-gateway-connection-attempts = 0, 1 gateway(s) to try to connect.
(T17360) 08/02/17 10:44:28:380 Debug(7823): bNetworkDisoverEventSet is 0, m_bRedoNetworkDiscovery is 0
(T17360) 08/02/17 10:44:28:380 Info ( 393): DiscoverInternal: try to connect to gateway=pa3-vpn-gateway.somecompany.com.
(T17360) 08/02/17 10:44:28:380 Debug(2574): entering for gateway pa3-vpn-gateway.somecompany.com.
(T17360) 08/02/17 10:44:28:380 Debug(1990): open http session.
(T17360) 08/02/17 10:44:28:381 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T17360) 08/02/17 10:44:28:381 Debug(1470): Auto detect proxy for host pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:381 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T17360) 08/02/17 10:44:28:381 Debug( 101): Proxy auto detect timeout 60 seconds
(T17360) 08/02/17 10:44:28:381 Debug( 105): dwAveTimeout 19666 ms
(T17360) 08/02/17 10:44:28:381 Debug( 133): Auto detect proxy
(T17360) 08/02/17 10:44:28:381 Debug(1487): CPanMSServiceWin::SetProxyForHost: fAutoDetect: 1 url: proxy: bypass:
url:https://pa3-vpn-gateway.somecompany.com/ returned proxystr:
(T17360) 08/02/17 10:44:28:381 Debug(1512): m_proxyInfo.dwAccessType is 1, m_proxyInfo.lpszProxy is (null)
(T17360) 08/02/17 10:44:28:381 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T17360) 08/02/17 10:44:28:381 Info (1331): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T17360) 08/02/17 10:44:28:381 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\cc.pfx
(T17360) 08/02/17 10:44:28:381 Info (1331): File C:\Program Files\Palo Alto Networks\GlobalProtect\cc.pfx does not exist.
(T17360) 08/02/17 10:44:28:381 Debug(5089): connect ssl.
(T17360) 08/02/17 10:44:28:382 Debug( 408): Found ipv4 default route
(T17360) 08/02/17 10:44:28:382 Debug( 48): WSAGetLastError() returns 10035
(T17360) 08/02/17 10:44:28:403 Error(1128): Failed to X509_LOOKUP_load_file
(T17360) 08/02/17 10:44:28:403 Debug( 296): Open_SSL_connection: subject '/C=AU/O=somecompany Pty Limited/OU=PA/CN=pa3-vpn-gateway.somecompany.com'
(T17360) 08/02/17 10:44:28:403 Debug( 300): Open_SSL_connection: issuer '/C=AU/O=somecompany Pty Limited/OU=PA/CN=vdcPAGlobalProtectCA'
(T17360) 08/02/17 10:44:28:403 Info (5144): Root ca does not exist.
(T17360) 08/02/17 10:44:28:403 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 793): standardized name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 821): standardized common name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 942): Check domain name pa3-vpn-gateway.somecompany.com versus CN anme pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 905): Cert pa3-vpn-gateway.somecompany.com name check succeeded
(T17360) 08/02/17 10:44:28:403 Debug(5157): Failed to verify gateway pa3-vpn-gateway.somecompany.com's server certificate using trusted root CA of portal configuration.
(T17360) 08/02/17 10:44:28:403 Debug(5162): disconnect ssl.
(T17360) 08/02/17 10:44:28:403 Debug(1197): SSL3 alert write:warning:close notify
(T17360) 08/02/17 10:44:28:403 Debug(2239): GetClientIpForGateway: bUseIpv6 is 0
(T17360) 08/02/17 10:44:28:403 Debug(2280): GetClientIpForGateway pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Info (2331): Gateway: pa3-vpn-gateway.somecompany.com, client IP: 10.172.208.119
(T17360) 08/02/17 10:44:28:403 Debug(2754): Pre-login gateway...
(T17360) 08/02/17 10:44:28:403 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T17360) 08/02/17 10:44:28:403 Info (1331): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T17360) 08/02/17 10:44:28:403 Debug(7582): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T17360) 08/02/17 10:44:28:404 Debug( 408): Found ipv4 default route
(T17360) 08/02/17 10:44:28:404 Debug( 48): WSAGetLastError() returns 10035
(T17360) 08/02/17 10:44:28:413 Error(1128): Failed to X509_LOOKUP_load_file
(T17360) 08/02/17 10:44:28:413 Debug( 296): Open_SSL_connection: subject '/C=AU/O=somecompany Pty Limited/OU=PA/CN=pa3-vpn-gateway.somecompany.com'
(T17360) 08/02/17 10:44:28:413 Debug( 300): Open_SSL_connection: issuer '/C=AU/O=somecompany Pty Limited/OU=PA/CN=vdcPAGlobalProtectCA'
(T17360) 08/02/17 10:44:28:413 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:413 Debug( 793): standardized name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:413 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:413 Debug( 821): standardized common name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:413 Debug( 942): Check domain name pa3-vpn-gateway.somecompany.com versus CN anme pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:413 Debug( 905): Cert pa3-vpn-gateway.somecompany.com name check succeeded
(T17360) 08/02/17 10:44:28:413 Debug(1197): SSL3 alert write:warning:close notify
(T17360) 08/02/17 10:44:28:413 Debug(7631): CheckServerCert() returns 4098
(T17360) 08/02/17 10:44:28:413 Debug(7704): Need to check gateway cert for pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:414 Debug( 865): PrepareRequest...
(T17360) 08/02/17 10:44:28:414 Debug( 873): WinHttpOpenRequest...
(T17360) 08/02/17 10:44:28:414 Debug( 441): CPanHTTPSession::PostRequest: WinHttpSendRequest...
(T17360) 08/02/17 10:44:28:418 Debug( 892): error code=12186(00002f9a)
(T17360) 08/02/17 10:44:28:418 Error(1000): PostRequest failed with error code 12186.
(T17360) 08/02/17 10:44:28:418 Debug(2837): Login to gateway (null) pa3-vpn-gateway.somecompany.com without ipv6
(T17360) 08/02/17 10:44:28:418 Debug(3031): Failed to pre-login to the gateway pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:418 Error(2640): Failed to retrieve info from gateway pa3-vpn-gateway.somecompany.com.
(T17360) 08/02/17 10:44:28:418 Debug(2015): close WinHttp close handle.
(T17360) 08/02/17 10:44:28:418 Debug(2650): returns FALSE.
(T17360) 08/02/17 10:44:28:418 Debug(4629): Set state to Discovery complete
(T17360) 08/02/17 10:44:28:418 Debug( 439): DiscoverInternal: retry count remain=-1, 1 gateway(s) to be retried for next round.
(T17360) 08/02/17 10:44:28:418 Error(3699): NetworkDiscoverThread: failed to discover internal network.
(T17360) 08/02/17 10:44:28:418 Debug(3702): case 3. user-logon mode, internal gateways are configured, internal host detection is configured, device is at internal network but cannot connect to any of the internal gateways
(T17360) 08/02/17 10:44:28:418 Debug(4629): Set state to Discovery complete
(T17360) 08/02/17 10:44:28:419 Debug(3726): Internal network discovery failed. Tunnel is in disconnected status.
(T17360) 08/02/17 10:44:28:419 Debug(3813): NetworkDiscoverThread: m_nPortalStatus is 2, m_bHasLoggedOnGateway is 0
(T17360) 08/02/17 10:44:28:419 Debug(3815): NetworkDiscoverThread: ((PORTAL_CACHED_CONFIG == m_nPortalStatus) && !m_bHasLoggedOnGateway)
(T16652) 08/02/17 10:44:30:148 Error( 457): getaddrinfo failed with error 11002, This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
(T16652) 08/02/17 10:44:30:148 Error( 43): Connect to captive portal clients3.google.com:80 Failed
(T16652) 08/02/17 10:44:30:148 Debug(3301): DetectCaptivePortal: captive portal is not detected for CP server index = 0. iStatus = 0
(T16652) 08/02/17 10:44:30:152 Error( 457): getaddrinfo failed with error 11002, This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
(T16652) 08/02/17 10:44:30:152 Error( 43): Connect to captive portal captive.apple.com:80 Failed
(T16652) 08/02/17 10:44:30:152 Debug(3301): DetectCaptivePortal: captive portal is not detected for CP server index = 1. iStatus = 0
(T16652) 08/02/17 10:44:30:152 Debug(3452): CaptivePortalDetectionThread: Didn't detect captive portal currently, and bCaptivePortalDetectedOnce=(0).
(T16652) 08/02/17 10:44:30:152 Debug(3359): CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(T17360) 08/02/17 10:44:33:420 Debug(3869): NetworkDiscoverThread: Network discover is not successful. Retry.
(T17360) 08/02/17 10:44:33:420 Debug(3881): Retry network discovery for non-OnDemand mode.
(T17360) 08/02/17 10:44:33:420 Debug(3536): NetworkDiscoverThread: wait for network discover event.
(T17360) 08/02/17 10:44:33:420 Debug( 448): Set hip report quit event
(T17360) 08/02/17 10:44:33:420 Debug(3551): NetworkDiscoverThread: got network discover event.
(T17360) 08/02/17 10:44:33:420 Debug( 762): SetNextScheduledHipCheckTime to 0
(T17360) 08/02/17 10:44:33:420 Debug( 784): m_bScheduleFlag is set to 0
(T17360) 08/02/17 10:44:33:420 Debug( 408): Found ipv4 default route
(T17360) 08/02/17 10:44:33:420 Debug(1756): IsDefaultRouteAvailable is 1
(T17360) 08/02/17 10:44:33:420 Debug(1764): Network is available
(T17360) 08/02/17 10:44:33:420 Debug(3562): finish check host reachable
(T17360) 08/02/17 10:44:33:420 Debug(3284): TriggerCaptivePortalDetection() end
(T17360) 08/02/17 10:44:33:420 Debug(3587): NetworkDiscover SN is 11645
(T17360) 08/02/17 10:44:33:420 Debug(4629): Set state to Discovering network...
(T16652) 08/02/17 10:44:33:420 Debug(3381): CaptivePortalDetectionThread: delay 2 seconds before captive portal detection. m_bIsDetectingCaptivePortal=1, m_bPreLoginIsDone = 0
(T16652) 08/02/17 10:44:33:420 Debug(3359): CaptivePortalDetectionThread: wait (2000 ms) for captive portal detection event.
(T17360) 08/02/17 10:44:33:420 Debug(3595): Logout gateways before network discover...
(T17360) 08/02/17 10:44:33:420 Debug(1083): Logging out gateway, reason is Network discover
(T17360) 08/02/17 10:44:33:420 Debug(1113): Logging out gateway over
(T17360) 08/02/17 10:44:33:420 Debug(9260): RetrieveClientIpByRemoteHost 10.172.202.1
(T17360) 08/02/17 10:44:33:420 Info (9278): RemoteHost: 10.172.202.1, client IP: 10.172.208.119
(T17360) 08/02/17 10:44:33:420 Error(9193): GetClientIpForGateway(): invalid remote host: .
(T17360) 08/02/17 10:44:33:420 Error( 178): CPanGatewayList::SelectInternalGateways() - failed to retrieve client source ipv6!
(T17360) 08/02/17 10:44:33:420 Debug( 333): Couldn't find match of client ip in the source ip list!
(T17360) 08/02/17 10:44:33:420 Debug(4256): Skip setting gateway pa3-vpn-gateway.somecompany.com's ipv6 remote host ip address
(T17360) 08/02/17 10:44:33:420 Debug(1470): Auto detect proxy for host pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:420 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T17360) 08/02/17 10:44:33:420 Debug( 101): Proxy auto detect timeout 60 seconds
(T17360) 08/02/17 10:44:33:420 Debug( 105): dwAveTimeout 19666 ms
(T17360) 08/02/17 10:44:33:420 Debug( 133): Auto detect proxy
(T17360) 08/02/17 10:44:33:421 Debug(1487): CPanMSServiceWin::SetProxyForHost: fAutoDetect: 1 url: proxy: bypass:
url:https://pa3-vpn-gateway.somecompany.com/ returned proxystr:
(T17360) 08/02/17 10:44:33:421 Debug(1512): m_proxyInfo.dwAccessType is 1, m_proxyInfo.lpszProxy is (null)
(T17360) 08/02/17 10:44:33:421 Debug(4322): Gateway pa3-vpn-gateway.somecompany.com's ipv4 address 10.172.202.1
(T17360) 08/02/17 10:44:33:421 Debug(4405): Change m_bUseIpv6 to false
(T17360) 08/02/17 10:44:33:421 Debug(4416): Gateway pa3-vpn-gateway.somecompany.com is FQDN
(T17360) 08/02/17 10:44:33:421 Debug(4256): Skip setting gateway pa1-vpn-gateway.somecompany.com's ipv6 remote host ip address
(T17360) 08/02/17 10:44:33:421 Debug(1470): Auto detect proxy for host pa1-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:422 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T17360) 08/02/17 10:44:33:422 Debug( 101): Proxy auto detect timeout 60 seconds
(T17360) 08/02/17 10:44:33:422 Debug( 105): dwAveTimeout 19666 ms
(T17360) 08/02/17 10:44:33:422 Debug( 133): Auto detect proxy
(T17360) 08/02/17 10:44:33:422 Debug(1487): CPanMSServiceWin::SetProxyForHost: fAutoDetect: 1 url: proxy: bypass:
url:https://pa1-vpn-gateway.somecompany.com/ returned proxystr:
(T17360) 08/02/17 10:44:33:422 Debug(1512): m_proxyInfo.dwAccessType is 1, m_proxyInfo.lpszProxy is (null)
(T17360) 08/02/17 10:44:33:422 Debug(4322): Gateway pa1-vpn-gateway.somecompany.com's ipv4 address 103.232.31.200
(T17360) 08/02/17 10:44:33:422 Debug(4405): Change m_bUseIpv6 to false
(T17360) 08/02/17 10:44:33:422 Debug(4416): Gateway pa1-vpn-gateway.somecompany.com is FQDN
(T17360) 08/02/17 10:44:33:422 Debug(4256): Skip setting gateway pa2-vpn-gateway.somecompany.com's ipv6 remote host ip address
(T17360) 08/02/17 10:44:33:422 Debug(1470): Auto detect proxy for host pa2-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:422 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T17360) 08/02/17 10:44:33:422 Debug( 101): Proxy auto detect timeout 60 seconds
(T17360) 08/02/17 10:44:33:422 Debug( 105): dwAveTimeout 19666 ms
(T17360) 08/02/17 10:44:33:422 Debug( 133): Auto detect proxy
(T17360) 08/02/17 10:44:33:423 Debug(1487): CPanMSServiceWin::SetProxyForHost: fAutoDetect: 1 url: proxy: bypass:
url:https://pa2-vpn-gateway.somecompany.com/ returned proxystr:
(T17360) 08/02/17 10:44:33:423 Debug(1512): m_proxyInfo.dwAccessType is 1, m_proxyInfo.lpszProxy is (null)
(T17360) 08/02/17 10:44:33:423 Debug(4322): Gateway pa2-vpn-gateway.somecompany.com's ipv4 address 103.232.31.201
(T17360) 08/02/17 10:44:33:423 Debug(4405): Change m_bUseIpv6 to false
(T17360) 08/02/17 10:44:33:423 Debug(4416): Gateway pa2-vpn-gateway.somecompany.com is FQDN
(T17360) 08/02/17 10:44:33:423 Debug(3603): NetworkDiscoverThread: got network discover event.
(T17360) 08/02/17 10:44:33:423 Debug(3614): Set network discover in progress
(T17360) 08/02/17 10:44:33:423 Debug(9364): GetNetworkTypeDS
(T17360) 08/02/17 10:44:33:423 Debug(9367): No ipv6 internal host detection.
(T17360) 08/02/17 10:44:33:423 Debug(1652): IP 10.172.202.1
(T17360) 08/02/17 10:44:33:423 Debug(1671): host ybopa-guest.somecompany.com
(T17360) 08/02/17 10:44:33:423 Debug(1688): DnsQuery returns 0
(T17360) 08/02/17 10:44:33:423 Debug(1723): The host name is ybopa-guest.somecompany.com
(T17360) 08/02/17 10:44:33:423 Debug(4629): Set state to Discovery complete
(T17360) 08/02/17 10:44:33:424 Debug(7644): SetVpnStatus called with new status=1, Previous Status=1
(T17360) 08/02/17 10:44:33:424 Debug(3670): NetworkDiscoverThread: network type is internal.
(T17360) 08/02/17 10:44:33:424 Debug(3676): NetworkDiscoverThread: Discover internal network.
(T17360) 08/02/17 10:44:33:424 Debug( 351): gateway count is 1.
(T17360) 08/02/17 10:44:33:424 Debug( 354): Connect timeout for internal network discovery is 5 seconds.
(T17360) 08/02/17 10:44:33:424 Info ( 370): DiscoverInternal: max-internal-gateway-connection-attempts = 0, 1 gateway(s) to try to connect.
(T17360) 08/02/17 10:44:33:424 Debug(7823): bNetworkDisoverEventSet is 0, m_bRedoNetworkDiscovery is 0
(T17360) 08/02/17 10:44:33:424 Info ( 393): DiscoverInternal: try to connect to gateway=pa3-vpn-gateway.somecompany.com.
(T17360) 08/02/17 10:44:33:424 Debug(2574): entering for gateway pa3-vpn-gateway.somecompany.com.
(T17360) 08/02/17 10:44:33:424 Debug(1990): open http session.
(T17360) 08/02/17 10:44:33:424 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T17360) 08/02/17 10:44:33:424 Debug(1470): Auto detect proxy for host pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:424 Debug( 372): set WINHTTP_OPTION_SECURE_PROTOCOLS
(T17360) 08/02/17 10:44:33:424 Debug( 101): Proxy auto detect timeout 60 seconds
(T17360) 08/02/17 10:44:33:424 Debug( 105): dwAveTimeout 19666 ms
(T17360) 08/02/17 10:44:33:424 Debug( 133): Auto detect proxy
(T17360) 08/02/17 10:44:33:424 Debug(1487): CPanMSServiceWin::SetProxyForHost: fAutoDetect: 1 url: proxy: bypass:
url:https://pa3-vpn-gateway.somecompany.com/ returned proxystr:
(T17360) 08/02/17 10:44:33:425 Debug(1512): m_proxyInfo.dwAccessType is 1, m_proxyInfo.lpszProxy is (null)
(T17360) 08/02/17 10:44:33:425 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T17360) 08/02/17 10:44:33:425 Info (1331): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T17360) 08/02/17 10:44:33:425 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\cc.pfx
(T17360) 08/02/17 10:44:33:425 Info (1331): File C:\Program Files\Palo Alto Networks\GlobalProtect\cc.pfx does not exist.
(T17360) 08/02/17 10:44:33:425 Debug(5089): connect ssl.
(T17360) 08/02/17 10:44:33:425 Debug( 408): Found ipv4 default route
(T17360) 08/02/17 10:44:33:425 Debug( 48): WSAGetLastError() returns 10035
(T17360) 08/02/17 10:44:33:435 Error(1128): Failed to X509_LOOKUP_load_file
(T17360) 08/02/17 10:44:33:435 Debug( 296): Open_SSL_connection: subject '/C=AU/O=somecompany Pty Limited/OU=PA/CN=pa3-vpn-gateway.somecompany.com'
(T17360) 08/02/17 10:44:33:435 Debug( 300): Open_SSL_connection: issuer '/C=AU/O=somecompany Pty Limited/OU=PA/CN=vdcPAGlobalProtectCA'
(T17360) 08/02/17 10:44:33:435 Info (5144): Root ca does not exist.
(T17360) 08/02/17 10:44:33:435 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:435 Debug( 793): standardized name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:435 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:435 Debug( 821): standardized common name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:435 Debug( 942): Check domain name pa3-vpn-gateway.somecompany.com versus CN anme pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:435 Debug( 905): Cert pa3-vpn-gateway.somecompany.com name check succeeded
(T17360) 08/02/17 10:44:33:435 Debug(5157): Failed to verify gateway pa3-vpn-gateway.somecompany.com's server certificate using trusted root CA of portal configuration.
(T17360) 08/02/17 10:44:33:435 Debug(5162): disconnect ssl.
(T17360) 08/02/17 10:44:33:435 Debug(1197): SSL3 alert write:warning:close notify
(T17360) 08/02/17 10:44:33:435 Debug(2239): GetClientIpForGateway: bUseIpv6 is 0
(T17360) 08/02/17 10:44:33:435 Debug(2280): GetClientIpForGateway pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:435 Info (2331): Gateway: pa3-vpn-gateway.somecompany.com, client IP: 10.172.208.119
(T17360) 08/02/17 10:44:33:435 Debug(2754): Pre-login gateway...
(T17360) 08/02/17 10:44:33:435 Debug( 78): pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T17360) 08/02/17 10:44:33:436 Info (1331): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T17360) 08/02/17 10:44:33:436 Debug(7582): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T17360) 08/02/17 10:44:33:436 Debug( 408): Found ipv4 default route
(T17360) 08/02/17 10:44:33:436 Debug( 48): WSAGetLastError() returns 10035
(T17360) 08/02/17 10:44:33:456 Error(1128): Failed to X509_LOOKUP_load_file
(T17360) 08/02/17 10:44:33:456 Debug( 296): Open_SSL_connection: subject '/C=AU/O=somecompany Pty Limited/OU=PA/CN=pa3-vpn-gateway.somecompany.com'
(T17360) 08/02/17 10:44:33:456 Debug( 300): Open_SSL_connection: issuer '/C=AU/O=somecompany Pty Limited/OU=PA/CN=vdcPAGlobalProtectCA'
(T17360) 08/02/17 10:44:33:456 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:456 Debug( 793): standardized name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:456 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:456 Debug( 821): standardized common name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:456 Debug( 942): Check domain name pa3-vpn-gateway.somecompany.com versus CN anme pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:456 Debug( 905): Cert pa3-vpn-gateway.somecompany.com name check succeeded
(T17360) 08/02/17 10:44:33:456 Debug(1197): SSL3 alert write:warning:close notify
(T17360) 08/02/17 10:44:33:456 Debug(7631): CheckServerCert() returns 4098
(T17360) 08/02/17 10:44:33:456 Debug(7704): Need to check gateway cert for pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:456 Debug( 865): PrepareRequest...
(T17360) 08/02/17 10:44:33:456 Debug( 873): WinHttpOpenRequest...
(T17360) 08/02/17 10:44:33:456 Debug( 441): CPanHTTPSession::PostRequest: WinHttpSendRequest...
(T17360) 08/02/17 10:44:33:460 Debug( 892): error code=12186(00002f9a)
(T17360) 08/02/17 10:44:33:460 Error(1000): PostRequest failed with error code 12186.
(T17360) 08/02/17 10:44:33:460 Debug(2837): Login to gateway (null) pa3-vpn-gateway.somecompany.com without ipv6
(T17360) 08/02/17 10:44:33:460 Debug(3031): Failed to pre-login to the gateway pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:33:460 Error(2640): Failed to retrieve info from gateway pa3-vpn-gateway.somecompany.com.
(T17360) 08/02/17 10:44:33:460 Debug(2015): close WinHttp close handle.
(T17360) 08/02/17 10:44:33:460 Debug(2650): returns FALSE.
(T17360) 08/02/17 10:44:33:460 Debug(4629): Set state to Discovery complete
(T17360) 08/02/17 10:44:33:460 Debug( 439): DiscoverInternal: retry count remain=-1, 1 gateway(s) to be retried for next round.
(T17360) 08/02/17 10:44:33:460 Error(3699): NetworkDiscoverThread: failed to discover internal network.
(T17360) 08/02/17 10:44:33:460 Debug(3702): case 3. user-logon mode, internal gateways are configured, internal host detection is configured, device is at internal network but cannot connect to any of the internal gateways
(T17360) 08/02/17 10:44:33:460 Debug(4629): Set state to Discovery complete
(T17360) 08/02/17 10:44:33:461 Debug(3726): Internal network discovery failed. Tunnel is in disconnected status.
(T17360) 08/02/17 10:44:33:461 Debug(3813): NetworkDiscoverThread: m_nPortalStatus is 2, m_bHasLoggedOnGateway is 0
(T17360) 08/02/17 10:44:33:461 Debug(3815): NetworkDiscoverThread: ((PORTAL_CACHED_CONFIG == m_nPortalStatus) && !m_bHasLoggedOnGateway)
(T16652) 08/02/17 10:44:35:424 Error( 457): getaddrinfo failed with error 11002, This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
(T16652) 08/02/17 10:44:35:424 Error( 43): Connect to captive portal clients3.google.com:80 Failed
(T16652) 08/02/17 10:44:35:424 Debug(3301): DetectCaptivePortal: captive portal is not detected for CP server index = 0. iStatus = 0
(T16652) 08/02/17 10:44:35:427 Error( 457): getaddrinfo failed with error 11002, This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
(T16652) 08/02/17 10:44:35:427 Error( 43): Connect to captive portal captive.apple.com:80 Failed
(T16652) 08/02/17 10:44:35:427 Debug(3301): DetectCaptivePortal: captive portal is not detected for CP server index = 1. iStatus = 0
(T16652) 08/02/17 10:44:35:427 Debug(3452): CaptivePortalDetectionThread: Didn't detect captive portal currently, and bCaptivePortalDetectedOnce=(0).
(T16652) 08/02/17 10:44:35:427 Debug(3359): CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(T4124) 08/02/17 10:44:37:667 Debug( 324): PanGpHipMp.exe exit for checking misssing patches.
(T4124) 08/02/17 10:44:37:668 Debug( 387): CheckHipMissingPatchInOtherProcess(): exits.
(T4124) 08/02/17 10:44:37:668 Debug( 474): Hip missing patch checking duration is 9

Also when I have doen pcaps the client closes the connectect...

@ansharma wrote:
Open the certificate presented by the portal. Go to the details tab and then check the Signature Algorithm. This is where RSA SSA-PSA would be, if the certificate is using it. I doubt it though, in your case, as 2 machines are able to connect. We'd need to check the GP agent logs to figure out what's going on.



Could you please explain how to check certificates. What do you mean certificate presented by the portal?
I can't find in logs what certificate GlobalProtect try to use. 
In mmc/certificates I can see many root certificates etc, ... not expired with different algorithms.

It works even from my hosted virtual machine under win8, but it does not work on my root machine Win10 ... and I can't find any difference. 

 

Please your help could safe me from reinstalling my OS... ( my admin proposed it)

Thanks

@Alex_Samad

Are you sure your self signed root cert is installed on this client?

(T17360) 08/02/17 10:44:28:403 Error(1128): Failed to X509_LOOKUP_load_file
(T17360) 08/02/17 10:44:28:403 Debug( 296): Open_SSL_connection: subject '/C=AU/O=somecompany Pty Limited/OU=PA/CN=pa3-vpn-gateway.somecompany.com'
(T17360) 08/02/17 10:44:28:403 Debug( 300): Open_SSL_connection: issuer '/C=AU/O=somecompany Pty Limited/OU=PA/CN=vdcPAGlobalProtectCA'
(T17360) 08/02/17 10:44:28:403 Info (5144): Root ca does not exist.
(T17360) 08/02/17 10:44:28:403 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 793): standardized name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 821): standardized common name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 942): Check domain name pa3-vpn-gateway.somecompany.com versus CN anme pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 905): Cert pa3-vpn-gateway.somecompany.com name check succeeded
(T17360) 08/02/17 10:44:28:403 Debug(5157): Failed to verify gateway pa3-vpn-gateway.somecompany.com's server certificate using trusted root CA of portal configuration.
(T17360) 08/02/17 10:44:28:403 Debug(5162): disconnect ssl.

Did you add this root cert also to the trusted root certs in the portal configuration?

L7 Applicator

@Udineverisch

The same for you: the root cert of your portal/gateway cert is in the local trust store of your computer?

 @Remo  definitely its installed via a GPO.

 

Something interesting I have found during my testing.

 

if I clean / uninstall the GP client. and then download and re install, it does log into the gp portal and grab the config once, which is how it finds the int gateway.  but once that is done then I have all the problems.

 

I have pointed my browser at portal and the gateways to check the certs and it all looks good.

 

 

  • 40399 Views
  • 28 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!