Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-20-2012 12:33 AM
We have 1 PA-500 which we recently upgraded from 4.0.5 to 4.1.4.
On 4.0.5 we used the NetConnect client for several users without any problem.
Now we upgraded to 4.1.4 we need to use the GlobalConnect client.
So I downloaded and activated the 1.1.4 client.
I thought it should offer an upgrade when you connect with an old client, so I started my NetConnect client and tried to connect. It failed to connect.
So I upgraded the client manually and and inserted my user/password and the portal.
Connection still fails with the error: Portal Error.
When I open the traffic log i see incoming connections from the Public IP.
Any ideas?
Dennis
04-20-2012 05:14 PM
Hi Dennis,
Firstly since you upgraded the code from 4.0.x to 4.1.5, Global protect needs to be used as it has replaced SSL VPN .
Second, you can not connect via the old client (Netconnect).
While installing new one you will be prompted for the unistall. Please do so.
Also to check through you configuratio in Global protect I would like you to go through the the following document of the GlobalProtect configuration for users upgrading from NetConnect
NetConnect to GlobalProtect Migration
Portal Error that you are gettings is related to the certificates. Please validate the configuration/migration path from the above document.
Regards,
Parth
04-20-2012 05:18 PM
I think you upgraded to 4.1.4 and NOT 4.1.5. I overlooked it,
Any way this is true for upgrade to 4.1.x platform.
Regards,
Parth
04-22-2012 11:21 PM
Hi Parth,
The upgrade wasn't suggested because at that point the firewall was already upgraded to 4.1.4 (not 4.1.5, my mistake) and the VPN wasn't working properly.
I did some more test and I can't figure out how i was ever connected as the logs only report errors.
The main error is that it could not connect to the portal.
Will read the docs and keep you posted
Dennis
04-25-2012 12:21 AM
Hi,
I haven't changed anything.
Right now i see errors coming in that the username or password is incorrect.
and
User is not in allowlist for <IP address>
Verified the username and password and they ar correct.
Can't find anything about allowing users from a certain ipaddress
The Authentication profile is set to allow users that are member of a certain active directory group.
When i try to use the Globalconnect with a username that is not allow I will get the same error message
Regards,
Dennis
04-25-2012 03:57 PM
Are you using LDAP to pull user groups? Getting the error "User is not in allowlist for <IP address>" indicates an issue with ldap configuration. Can you verify if you have your base DN and bind DN configured correctly?
04-26-2012 02:40 AM
We use RADIUS for the authentication from Active directory.
if i start typing it will find all AD groups, so RADIUS is working properly
When I allow 'all' then i'm able to connect, but it failed to get passed the discovering network.
04-26-2012 03:04 AM
check "Network->Zones->Enable User Identification" -after my upgrade from 4.0.7 - 4.1.4 was disable by its self.
maybe that will help regards...
04-26-2012 04:12 AM
User identification is still enabled.
But even if the authentication is working, then it wouldn't get passed the discover network part. Cannot figure out why because nothing has been changed to the network
04-26-2012 04:18 PM
What are the certificates you have in place for global protect? If you have a root cert, do you have it installed in your PC?
Manish
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
