10-04-2012 08:38 AM
I am having a problem with my GlobalConnect configuration. Everything works fine when I have it set to On Demand. However, I have a set of users I want to effectively have the VPN always on, so for them I've created a second configuration but when a user in this group connects I get the following error in my System Log:
GlobalProtect portal client configuration failed. Login from: MyIpAddress, User name: MyUser.
Here is the portion of my configuration related to the GlobalProtect Portal, the only difference between the two configurations is the toggling of OnDemand from On to Off:
<global-protect-portal>
<entry name="Standard VPN Portal">
<portal-config>
<local-address>
<ip>#.#.#.#/26</ip>
<interface>ethernet1/1</interface>
</local-address>
<authentication-profile>Standard VPN Users</authentication-profile>
<server-certificate>STAR10_company_com</server-certificate>
</portal-config>
<client-config>
<configs>
<entry name="Always On">
<hip-collection>
<max-wait-time>20</max-wait-time>
</hip-collection>
<gateways>
<external>
<list>
<entry name="#.#.#.#">
<priority>1</priority>
</entry>
</list>
</external>
<cutoff-time>0</cutoff-time>
</gateways>
<source-user>
<member>us10\remote access always on</member>
</source-user>
<agent-ui>
<welcome-page>
<display>no</display>
</welcome-page>
<agent-user-override>with-comment</agent-user-override>
<enable-advanced-view>yes</enable-advanced-view>
<can-save-password>yes</can-save-password>
<agent-user-override-timeout>0</agent-user-override-timeout>
<max-agent-user-overrides>0</max-agent-user-overrides>
</agent-ui>
<agent-config>
<client-upgrade>transparent</client-upgrade>
<rediscover-network>yes</rediscover-network>
<resubmit-host-info>yes</resubmit-host-info>
</agent-config>
<internal-host-detection>
<ip-address>#.#.#.#</ip-address>
<hostname>wdc01.company.local</hostname>
</internal-host-detection>
<use-sso>yes</use-sso>
<on-demand>no</on-demand>
</entry>
<entry name="On Demand">
<hip-collection>
<max-wait-time>20</max-wait-time>
</hip-collection>
<gateways>
<external>
<list>
<entry name="#.#.#.#">
<priority>1</priority>
</entry>
</list>
</external>
<cutoff-time>0</cutoff-time>
</gateways>
<source-user>
<member>us10\remote access full</member>
<member>us10\remote access standard</member>
</source-user>
<agent-ui>
<welcome-page>
<display>no</display>
</welcome-page>
<agent-user-override>with-comment</agent-user-override>
<enable-advanced-view>yes</enable-advanced-view>
<can-save-password>yes</can-save-password>
<agent-user-override-timeout>0</agent-user-override-timeout>
<max-agent-user-overrides>0</max-agent-user-overrides>
</agent-ui>
<agent-config>
<client-upgrade>transparent</client-upgrade>
<rediscover-network>yes</rediscover-network>
<resubmit-host-info>yes</resubmit-host-info>
</agent-config>
<internal-host-detection>
<ip-address>10.#.#.#</ip-address>
<hostname>wdc01.company.local</hostname>
</internal-host-detection>
<use-sso>yes</use-sso>
<on-demand>yes</on-demand>
</entry>
</configs>
<agent-user-override-key>-AQ==9EIX</agent-user-override-key>
<client-certificate>Standard VPN Client</client-certificate>
</client-config>
</entry>
</global-protect-portal>
Is there a reason why switching to On Demand to No should generate a configuration error? It's not due to having two separate groups, if I set OnDemand to Yes on the broken group it immediately starts working....
10-04-2012 10:48 AM
Hello,
If you want your users to always connect to the gateway when they are outside the network, you need to select "Single Sign On".
It will always be the first method tried by the client. This initial connection/discovery to the portal using SSO is done by the client in order to find out if the configuration is set to On-demand mode or SSO to connect to the gateway.
If the mode is SSO, the client will connect successfully to the gateway.
If the mode is found to be on-demand, the client will not proceed further and stop the connection. In On-demand mode, "connect" has to be clicked by the user manually for the client to connect to the gateway.
Regards
10-04-2012 11:07 AM
That doesn't really address the issue, when it's configured for the default (SSO - YES, On Demand - NO) a client connecting under that configuration gets a configuration error on the Palo Alto and a "Portal Error" on the client.
10-19-2012 04:45 PM
Which PAN-OS and Global Protect version are you running?
Could you please open a case with support so we can investigate further?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
