Reason why the GlobalProtect session is disconnected

Reply
olloczky
L1 Bithead

Reason why the GlobalProtect session is disconnected

Hi Guys,

 

Some of our users experience disconnects from our GP VPN. When it happens it always impacts a partial set of the clients not everyone. I would like to know a method in which I can determine the reason of the disconnection.

 

In the Monitor-Logs-GlobalProtect tab I can only see the fact if a user is logged-out or logged in and authentication steps.

 

Is there a way to know if somethings happening on the PA side or the users' home ISP is misbehaving?

 

PA version: 9.1.3-h1

GP version: 5.2.4

 

Cheers,

Daniel


Accepted Solutions
AlexanderAstardzhiev
L4 Transporter

Hi @olloczky ,

 

I would suggest to take one or two example users and check the GP client logs - How to Collect Logs from GlobalProtect Clients - Knowledge Base - Palo Alto Networks

 

Note that if in your portal config you have set "Enable Advance View" to no, the troubleshooting tab will not be visible for the user. So you will have to collect the files manually - Where is the GlobalProtect Log File Located? - Knowledge Base - Palo Alto Networks

 

I would suggest you to look at "pan_gp_event.log" and more importantly "PanGPS.log"

 

View solution in original post


All Replies
AlexanderAstardzhiev
L4 Transporter

Hi @olloczky ,

 

I would suggest to take one or two example users and check the GP client logs - How to Collect Logs from GlobalProtect Clients - Knowledge Base - Palo Alto Networks

 

Note that if in your portal config you have set "Enable Advance View" to no, the troubleshooting tab will not be visible for the user. So you will have to collect the files manually - Where is the GlobalProtect Log File Located? - Knowledge Base - Palo Alto Networks

 

I would suggest you to look at "pan_gp_event.log" and more importantly "PanGPS.log"

 

View solution in original post

olloczky
L1 Bithead

Hi @AlexanderAstardzhiev,

 

Thanks for this info! Unfortunately our clients are thin clients with veeeery limited capabilities. This means they cannot create files on the computer, thus cannot save logs. Maybe the first option is feasible, will check that.

 

Besides from client side, is there no way to check similar debug infos on the FW side?

BPry
Cyber Elite

@olloczky,

No. Detailed logs are only kept on the client side, and the firewall won't be able to tell you why a client was disconnected unless it was disconnected by the firewall itself. 

Brandon_Wertz
Cyber Elite


@BPry wrote:

@olloczky,

No. Detailed logs are only kept on the client side, and the firewall won't be able to tell you why a client was disconnected unless it was disconnected by the firewall itself. 


While not wrong, the most detailed logs would come from the remote client, a firewall running PAN-OS 9.1.X does have greater logging than previous code versions.  There are "Global Protect" logs in the monitor tab which might help identify why a user is getting disconnected or not connecting.

olloczky
L1 Bithead

@Brandon_Wertz thanks for that! I've checked those logs as well. Either I'm not smart enough to interpret those logs or those are just really the events which are logged and not the detailed info and error codes. Because the latter is not enough for me now unfortunately. 

 

I really appreciate your inputs guys!

MickBall
L7 Applicator

under the new logging regime Monitor/GlobalProtect add "( eventid eq gateway-config-release ) or ( eventid eq gateway-logout )"   to the filter.  this will be best information for disconnects but as @BPry mentioned, this will only be logged if planned. if the devices have comms or pangps service issues then this will not be logged on the firewall.

 

for all our disconnect issues I have never found much help on the firewall apart from the obvious that if it's not logged then it wasn't planned.

 

 

 

 

 

 

olloczky
L1 Bithead

Thank you guys. I was able to collect logs on client side but the security rules restrict me to gather them but that is a different topic Thank you all for your inputs!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!