01-06-2021 04:31 AM
Hi Guys,
Some of our users experience disconnects from our GP VPN. When it happens it always impacts a partial set of the clients not everyone. I would like to know a method in which I can determine the reason of the disconnection.
In the Monitor-Logs-GlobalProtect tab I can only see the fact if a user is logged-out or logged in and authentication steps.
Is there a way to know if somethings happening on the PA side or the users' home ISP is misbehaving?
PA version: 9.1.3-h1
GP version: 5.2.4
Cheers,
Daniel
01-06-2021 06:30 AM
Hi @olloczky ,
I would suggest to take one or two example users and check the GP client logs - How to Collect Logs from GlobalProtect Clients - Knowledge Base - Palo Alto Networks
Note that if in your portal config you have set "Enable Advance View" to no, the troubleshooting tab will not be visible for the user. So you will have to collect the files manually - Where is the GlobalProtect Log File Located? - Knowledge Base - Palo Alto Networks
I would suggest you to look at "pan_gp_event.log" and more importantly "PanGPS.log"
01-06-2021 06:30 AM
Hi @olloczky ,
I would suggest to take one or two example users and check the GP client logs - How to Collect Logs from GlobalProtect Clients - Knowledge Base - Palo Alto Networks
Note that if in your portal config you have set "Enable Advance View" to no, the troubleshooting tab will not be visible for the user. So you will have to collect the files manually - Where is the GlobalProtect Log File Located? - Knowledge Base - Palo Alto Networks
I would suggest you to look at "pan_gp_event.log" and more importantly "PanGPS.log"
01-06-2021 06:49 AM
Thanks for this info! Unfortunately our clients are thin clients with veeeery limited capabilities. This means they cannot create files on the computer, thus cannot save logs. Maybe the first option is feasible, will check that.
Besides from client side, is there no way to check similar debug infos on the FW side?
01-06-2021 10:32 AM
No. Detailed logs are only kept on the client side, and the firewall won't be able to tell you why a client was disconnected unless it was disconnected by the firewall itself.
01-06-2021 11:49 AM
@BPry wrote:
No. Detailed logs are only kept on the client side, and the firewall won't be able to tell you why a client was disconnected unless it was disconnected by the firewall itself.
While not wrong, the most detailed logs would come from the remote client, a firewall running PAN-OS 9.1.X does have greater logging than previous code versions. There are "Global Protect" logs in the monitor tab which might help identify why a user is getting disconnected or not connecting.
01-06-2021 11:06 PM
@Brandon_Wertz thanks for that! I've checked those logs as well. Either I'm not smart enough to interpret those logs or those are just really the events which are logged and not the detailed info and error codes. Because the latter is not enough for me now unfortunately.
I really appreciate your inputs guys!
01-07-2021 05:11 AM
under the new logging regime Monitor/GlobalProtect add "( eventid eq gateway-config-release ) or ( eventid eq gateway-logout )" to the filter. this will be best information for disconnects but as @BPry mentioned, this will only be logged if planned. if the devices have comms or pangps service issues then this will not be logged on the firewall.
for all our disconnect issues I have never found much help on the firewall apart from the obvious that if it's not logged then it wasn't planned.
01-08-2021 01:50 AM
Thank you guys. I was able to collect logs on client side but the security rules restrict me to gather them but that is a different topic 🙂 Thank you all for your inputs!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
