GP 4.1.0 released and....

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GP 4.1.0 released and....

L4 Transporter

I have not seen any chatter or mention of this but I tried the 4.1.0 GP client in a lab environment yesterday.

 

The good:

* The app is redesigned and looks really nice

* You can now select from/add/remove multiple gateways!

 

The bad:

* It would not connect to the VPN even after a reboot and reinstall 😕

 

After going back to 4.0.7 everything worked again, then trying 4.1.0 again and same thing (no connection) then back to 4.0.7 and yay! working again. I see the traffic coming into the portal and being allowed, the client just never gets an established connection.

 

Anyone else brave enough to play with the new GP client? What did you find? Did it work? Same issue I am seeing?

 

Whats next:

I will try the new client on some other machines and OS versions to see if I can isolate the issue to a certain root cause. We won't be using this in production for a while or at least until I can validate this issue will not happen if we update all endpoints someday.

 

1 accepted solution

Accepted Solutions

Confirmed!

 

I changed the test user password and removed/swapped out the < and > characters and I was able to sign in right away without any issues using the 4.1 client.

 

This means PA has to resolve this before rolling the app out to the masses in order to prevent any such instance of this problem occuring with anyone using those characters in their passwords.

 

If you do roll this version out and some users are unable to connect, it may be related to special chars in their passwords.

 

Thanks again for everyone's input that lead me to this finding. I have a case open and I will update it and inform our SE of these findings.

View solution in original post

33 REPLIES 33

Cyber Elite
Cyber Elite

@hshawn,

Been running the 4.1 client on 8.1 for awhile without issues. Even if it's supposed to 'work' with 8.0 I wouldn't really recommend crossing like that at the moment. 

 

@BPry

 

Thanks, I was starting to wonder if it "required" PANOS 8.1 to function properly. I am not ready to take the 8.1 plunge yet, not even on my lab device after readin ghte known issues 😕

@hshawn,

I honestly haven't tried 4.1 on anything but 8.1, so I can't say if this is a known issue at all. According to documentation it should work perfectly fine on 8.0, and I think it even goes back to 7.1.*. 

@hshawn,

I actually just updated the GP client on my 8.0.8 LAB device and it's working and connecting perfectly fine. You might want to play around with it a little bit more; potentially try uninstalling the agent and then installing it with 4.1.0 from scratch might work better than a direct upgrade? 

@BPry

 

That may tell me if it works better or not but when we eventually upgrade it will have to be through the good ol' activate the new version on the gateway and let it auto update when users connect. So I want to make sure I get a good woprking endstate following the same path we will use for everyone.

 

I will try a manual install later tonight just to see what results I get tho

@hshawn,

Just a heads up, 4.1.0 is a huge visual improvement over what was available previously. While it's very easy to interpret what they need to do, it might require a bit of re-training for more challenged end-users 🙂 

yep! I like the new look. most of our users are on pre-logon always on so they don't have much interaction but when the time comes we will have communication sent out to all

 

@hshawn, Hi.

 

Probably of no use to you but just to let you know that 4.1 seems to work OK with 7.1.15 and 8.0.8 aswell as 8.1.

 

this is using several auth options such as...

allways -on

on -demand

certificate auth only

radius only plus auth overide cookie

radius plus certificate

radius plus certificate plus auth overide cookie

ldap plus certificate.

 

unfortunately we do not use pre-logon. so cannot test....

group membership also works OK as login below (Admin Level) has the option to pick what gateway as well as portal.... I think you meant portal in your original post..

 

GP connected2.png

 

 

 

Ok so this gets more confusing, I'm using 8.0.8 and the 4.1.0 client just refuses to connect at all in any of my tests.

 

Uninstall 4.0.7 and fresh manual install of 4.1 - no connection

 

Upgrade from firewall - no connection

 

Windows 10 - no connection

 

Windows 7 - no connection

 

Linux - no connection

 

OSX - testing soon

 

Going back to 4.0.7 - works perfectly

 

Since I am the only one seeing these issues here but I have tried a mixture of client environments the common denominator is the firewall itself. Maybe something in my config that 4.1 does not like but everything prior has no problem with..

could it be a pre-logon issue with 4.1.

 

have you tried other auth methods or just pre-logon.

@Mick_Ball

 

Yes primarily I have been trying it in the lab with on demand mode

@Mick_Ball@hshawn,

I was actually playing around with this quite a bit last night, simply because I actually want to get 4.1 and the new UI rolled-out as soon as possible. I couldn't reproduce any connectivity issues in on-demand or pre-logon regardless of using 8.0.8 or 8.1.0. I'm guessing that it has to do something with your configuration, or for some reason the GP Package needs to be removed and re-downloaded/activated on your firewall. I've never seen one of those behavior poorly, but maybe something happened when you downloaded 4.1 that is causing your issues? 

This morning I manualy installed the 4.1 client on a device configured for the corp network portal/gateway using pre-logon always on and it worked like a champ.

 

This was an 8.0.8 connection same as the lab environment. so the client is working there and it must be something in the config that the 4.1 client does not like in the lab. the lab is also setup to allow native android clients using Xauth so maybe that is it? I might have to start trimming features away until I find an indicator. fun... so much fun

 

p.s. the successful testing was done on a 32 bit machine so the client was 32bit but that should not make a difference

have you looked at the PanGPS log from the client device, it may be helpful...

  • 1 accepted solution
  • 8667 Views
  • 33 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!