Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Issues with both client and clientless VPN on 220 running 8.0.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Issues with both client and clientless VPN on 220 running 8.0.1

L3 Networker

Full disclosure: up until now, I've had zero practical experience with GlobalProtect. I've only worked with Pulse, Cisco and OpenVPN.

 

I just deployed a 220 yesterday with 8.0.1 and am having a heck of a time getting GlobalProtect to work in either scenario.

 

The Clientless lets me log in, but anytime I try to launch a published app or manually enter in a URL, it launches a new browser tab and never goes anywhere. Doesn't even time out. I know there's connectivity because I can ping the app's server from within the CLI using the trusted interface as a source (and I can access it locally from behind the PA). The only thing I can think of is I am not using the management interface, I have a service route sending everything through the trusted zone vlan).

 

As for the client, I finally got the client version to the point where it was giving me a certificate validation error, which according to what I've found, was potentially due to a mismatch in the cert's CN and the external gateway FQDN (which I'm not even sure I need an external gateway), but that was not the case here. I think I fixed that by just purchasing a cert from a public CA but now it immediately fails on Discovering Network saying there's a problem with the internet connection or the globalprotect network.

 

any ideas/help would be greatly appreciated.

8 REPLIES 8

Cyber Elite
Cyber Elite

Can you post how you have it configured. Since you can't get either to work it would point towards more of a configuration issue. The clientless VPN is still in beta so that not working could be an actual bug, but once he client GP is working we can look at fixing that as well. 

 

If this is your virst GP setup then I'm guessing you likely have multiple small configuration issues with how you have it configured currently. 

@BPryyes, I'm sure you're right. but as you know I'm sure, there's a LOT of minute configurations all over the place, so I'm hoping maybe for a place to start rather than from step 1.

 

I'm going to spend some time reviewing GP from the 7.1 205 course/lab and see if it helps fill in any blanks for me. if not, or if someone can't help me pinpoint it in the interim, I'll consider posting the full config.

Made a couple of corrections and made some progress. Basically I had external gateway bound to wrong interface for one. I also didn't have the local network defined in the added access routes.

 

here's where I stand:

 

client: on Windows, GP4 still gives me 'server certificate verification failed' error. on iOS, it actually connects now, however I cannot access local resources and if I go to icanhazip.com, I am getting the IP of the network my iOS is on, not the VPN network's external IP. so basically it looks like I'm connected to the VPN, but none of my traffic seems to be routed through it.

 

ETA: Okay, I lied. I was able to access internal resources and I didn't realize that if I wanted ALL traffic to go through the 220, I should've added 0.0.0.0/0 as an added access route. I was confused by the no split tunnel option, assuming it would send all traffic through the tunnel if I left it unchecked.

 

clientless: after about 10 seconds or so after selecting an app, it now returns

 

Access Error: 404 -- Not Found

Can't locate document: /http-5075/192.168.1.2/

 

it must be doing something, however, because if I point it to a port that's not listening, the 404 error is returned immediately.

 

ETA: so basically, iOS GP client seems to be working as expected. Clientless and Windows GP client do not.

1) Lots of 'server certificate verification failed' errors have been discussed on live; I would look through those and see if any of them help you out at all. 

2) I assume if iOS isn't having an issue it has to be an issue with your client settings. Have you verified the FQDN and CN are matching, PTR is okay? 

3) Support is your friend in these types of situations and will actually verify that everything is setup correctly. Might be worth opening a ticket with them on this. 

 

Clientless is again still in beta, so if you have issues with it contact TAC and open a case on it. You are running a brand new OS, using new HW, and a feature that all could still have bugs in them. 

1) Lots of 'server certificate verification failed' errors have been discussed on live; I would look through those and see if any of them help you out at all. 

 

I did. So far, it hasn't.

 

2) I assume if iOS isn't having an issue it has to be an issue with your client settings. Have you verified the FQDN and CN are matching, PTR is okay? 

 

Yes on the cert. No SSL errors when connecting to the portal, ssllabs gives it a B rating because of the key exchange. there is a PTR record but it points back to the ISP's domain. Not sure what else to check on the client side unless there's an agent config I'm missing (effectively all I've changed is switching it to On Demand).

 

3) Support is your friend in these types of situations and will actually verify that everything is setup correctly. Might be worth opening a ticket with them on this. 

 

I do have a call open, but not standard support, so it's slow. Hoping to crowdsource a little.

 

Clientless is again still in beta, so if you have issues with it contact TAC and open a case on it. You are running a brand new OS, using new HW, and a feature that all could still have bugs in them. 

 

There may be additional factors at work as I've come across when dealing with Plex issues. There seems to be some cross communication issues between wired devices that are going through the 220 directly and devices on the wireless network, though it's not consistent. It's way too complicated to go into depth now, I need to do more testing, but the clientless may be tied to that (even though the iOS on the VPN can access the same device).

and just like that, the Windows client appears to be working. I'm able to successfully VPN in and access local resources.

 

so right now, the clientless 404 errors is the only issue I'm experiencing.

With "published app", do you mean Citrix by any chance ?

no, just a basic webapp. nothing complicated yet

  • 5693 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!