GlobalProtect stops to connect

Reply
Highlighted
L4 Transporter

Also when I have doen pcaps the client closes the connectect...

Highlighted
L1 Bithead

@ansharma wrote:
Open the certificate presented by the portal. Go to the details tab and then check the Signature Algorithm. This is where RSA SSA-PSA would be, if the certificate is using it. I doubt it though, in your case, as 2 machines are able to connect. We'd need to check the GP agent logs to figure out what's going on.



Could you please explain how to check certificates. What do you mean certificate presented by the portal?
I can't find in logs what certificate GlobalProtect try to use. 
In mmc/certificates I can see many root certificates etc, ... not expired with different algorithms.

It works even from my hosted virtual machine under win8, but it does not work on my root machine Win10 ... and I can't find any difference. 

 

Please your help could safe me from reinstalling my OS... ( my admin proposed it)

Thanks

Highlighted
Cyber Elite

@Alex_Samad

Are you sure your self signed root cert is installed on this client?

(T17360) 08/02/17 10:44:28:403 Error(1128): Failed to X509_LOOKUP_load_file
(T17360) 08/02/17 10:44:28:403 Debug( 296): Open_SSL_connection: subject '/C=AU/O=somecompany Pty Limited/OU=PA/CN=pa3-vpn-gateway.somecompany.com'
(T17360) 08/02/17 10:44:28:403 Debug( 300): Open_SSL_connection: issuer '/C=AU/O=somecompany Pty Limited/OU=PA/CN=vdcPAGlobalProtectCA'
(T17360) 08/02/17 10:44:28:403 Info (5144): Root ca does not exist.
(T17360) 08/02/17 10:44:28:403 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 793): standardized name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 821): standardized common name is pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 942): Check domain name pa3-vpn-gateway.somecompany.com versus CN anme pa3-vpn-gateway.somecompany.com
(T17360) 08/02/17 10:44:28:403 Debug( 905): Cert pa3-vpn-gateway.somecompany.com name check succeeded
(T17360) 08/02/17 10:44:28:403 Debug(5157): Failed to verify gateway pa3-vpn-gateway.somecompany.com's server certificate using trusted root CA of portal configuration.
(T17360) 08/02/17 10:44:28:403 Debug(5162): disconnect ssl.

Did you add this root cert also to the trusted root certs in the portal configuration?

Highlighted
Cyber Elite

@Udineverisch

The same for you: the root cert of your portal/gateway cert is in the local trust store of your computer?

Highlighted
L4 Transporter

 @vsys_remo  definitely its installed via a GPO.

 

Something interesting I have found during my testing.

 

if I clean / uninstall the GP client. and then download and re install, it does log into the gp portal and grab the config once, which is how it finds the int gateway.  but once that is done then I have all the problems.

 

I have pointed my browser at portal and the gateways to check the certs and it all looks good.

 

 

Highlighted
Cyber Elite

Hi @Alex_Samad

 

Is your pa3-vpn-gateway somehow private/hidden so that only you (maybe with a local host entry) can connect?

The reason I am asking is because from my point of view, with the knowledge I have from your posts so far, there is a problem on pa3-vpn-gateway. I am able to resolve your gateway 1, 2 and the portal by DNS but not gateway 3. In addition, a TLS check shows the correct information for gateway 1, 2 and the portal and all 3 certs show the earlier mentionned self signes root cert. But on gateway 3 or better on the IP where I assume gateway 3 should be, the TLS check fails completely.

 

In an earlier post you wrote that other clients are working: what rules do you have in plave to decide which gateway will be chosen by the clients? All with the same priority or based on usergroups ... So rhe working clients, do they also try to connect to gateway 3?

Highlighted
L4 Transporter

pa3 is a internal gateway, dns and connectivity is only accessible whilst your on the internal network

same rules.... thats the annoying thing

Highlighted
Cyber Elite

Of course ... would have been too easy, if that was the solution :P

 

At the times of these failing connections: is there something useful or at least regarding that client in the system log of your portal and/or gateway (s)?

Highlighted
Cyber Elite

So a short recap: @Alex_Samad

  • Global protect infrastructure with one portal, 2 external gateways and one internal --> is this a fully distributed setup? Do you use authentication cookies?
  • You have 6 absolutely identical clients but only 4 of them are able to connect --> do all of them connect to the same external gateway?
  • It was all working until day x where 2 clients started having problems with the connection

 

In addition to this discussion you probably also want to open a TAC case...

Highlighted
L4 Transporter

Hi

 

I have, buts its been nearly 4 weeks not getting much progress, there seemed to be some life to it here so ..

 

A

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!