This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Unable to authenticate through Global Protect

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Unable to authenticate through Global Protect

Jatin.Singh
L3 Networker

‎09-15-2019 10:07 PM

I m currently unable to authenticate through Global Protect. I’ve looked at the config which looks correct and I can’t see anything obvious in the logs. Are you able to assist? I’ve paste the logs below.

 

 

 

2019-09-16 14:03:19.305 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1068): non-admin user thru Global Protect "sagierhartla@wyongccs.nsw.edu.au" ; auth  profile "GP-VPN-AUTH" ; vsys "vsys1"

2019-09-16 14:03:19.305 +1000 debug: _get_authseq_profile(pan_auth_util.c:860): Auth profile/vsys (GP-VPN-AUTH/vsys1) is NOT auth sequence

2019-09-16 14:03:19.305 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP-VPN-AUTH-vsys1-mfa

2019-09-16 14:03:19.305 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1024): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:19.305 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1035): MFA configured, but bypassed for GP user ''. (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:19.305 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2560): Keep original username, i.e., whatever end-user typed, "sagierhartla@wyongccs.nsw.edu.au" in request->username

2019-09-16 14:03:19.305 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:579): This is a single vsys platform, group check for allow list is performed on "vsys1"

2019-09-16 14:03:19.306 +1000 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "sagierhartla@wyongccs.nsw.edu.au" with <profile: "GP-VPN-AUTH", vsys: "vsys1">

2019-09-16 14:03:19.306 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP-VPN-AUTH-vsys1

2019-09-16 14:03:19.306 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:655): but auth server id vector is empty for GP-VPN-AUTH-vsys1

2019-09-16 14:03:19.306 +1000 Error:  _begin_auth(pan_auth_state_engine.c:1915): sending request for user "sagierhartla@wyongccs.nsw.edu.au": no remote server in auth profile "GP-VPN-AUTH" is available (could be FQDN resolution failure)

2019-09-16 14:03:19.306 +1000 failed authentication for user 'sagierhartla@wyongccs.nsw.edu.au'.   auth profile 'GP-VPN-AUTH', vsys 'vsys1', From: 220.233.83.161.

2019-09-16 14:03:19.306 +1000 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'sagierhartla@wyongccs.nsw.edu.au' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6730648317623110501)

2019-09-16 14:03:35.492 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:35.492 +1000 debug: pan_authd_handle_is_kerberized_req(pan_authd_kerberos_sso.c:1050): return is_kerberized = false for <profile: "GP-VPN-AUTH", vsys: "vsys1", remotehost "", krb_sso_hostname "vpn.wyongccs.nsw.edu.au">

2019-09-16 14:03:35.560 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:997): profiledomain triggered via sysd

2019-09-16 14:03:35.560 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1017): get domain for vsys1/GP-VPN-AUTH

2019-09-16 14:03:35.560 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:35.560 +1000 debug: _get_profile_domain(pan_auth_sysd.c:980): auth prof "GP-VPN-AUTH" on vsys "vsys1" has domain: "wyongccs"

2019-09-16 14:03:35.564 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3344): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 99962, body length 2384

2019-09-16 14:03:35.564 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "GP-VPN-AUTH", vsys: "vsys1", policy: "", username "sagierhartla"> ; timeout setting: 25 secs ; authd id: 6730648317623110504

2019-09-16 14:03:35.564 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1068): non-admin user thru Global Protect "sagierhartla" ; auth  profile "GP-VPN-AUTH" ; vsys "vsys1"

2019-09-16 14:03:35.564 +1000 debug: _get_authseq_profile(pan_auth_util.c:860): Auth profile/vsys (GP-VPN-AUTH/vsys1) is NOT auth sequence

2019-09-16 14:03:35.564 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP-VPN-AUTH-vsys1-mfa

2019-09-16 14:03:35.564 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1024): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:35.564 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1035): MFA configured, but bypassed for GP user ''. (prof/vsys: GP-VPN-AUTH/vsys1)

2019-09-16 14:03:35.564 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2560): Keep original username, i.e., whatever end-user typed, "sagierhartla" in request->username

2019-09-16 14:03:35.564 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:579): This is a single vsys platform, group check for allow list is performed on "vsys1"

2019-09-16 14:03:35.565 +1000 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "sagierhartla" with <profile: "GP-VPN-AUTH", vsys: "vsys1">

2019-09-16 14:03:35.565 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP-VPN-AUTH-vsys1

2019-09-16 14:03:35.565 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:655): but auth server id vector is empty for GP-VPN-AUTH-vsys1

2019-09-16 14:03:35.565 +1000 Error:  _begin_auth(pan_auth_state_engine.c:1915): sending request for user "sagierhartla": no remote server in auth profile "GP-VPN-AUTH" is available (could be FQDN resolution failure)

2019-09-16 14:03:35.565 +1000 failed authentication for user 'sagierhartla'.   auth profile 'GP-VPN-AUTH', vsys 'vsys1', From: 220.233.83.161.

2019-09-16 14:03:35.565 +1000 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'sagierhartla' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6730648317623110504)

2019-09-16 14:03:39.165 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:997): profiledomain triggered via sysd

2019-09-16 14:03:39.166 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1017): get domain for vsys1/GP-VPN-AUTH

2019-09-16 14:03:39.166 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)

2019-09-16 14:03:39.166 +1000 debug: _get_profile_domain(pan_auth_sysd.c:980): auth prof "GP-VPN-AUTH" on vsys "vsys1" has domain: "wyongccs"

2019-09-16 14:03:39.169 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3344): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 99964, body length 2384

2019-09-16 14:03:39.169 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "GP-VPN-AUTH", vsys: "vsys1", policy: "", username "spadmin"> ; timeout setting: 25 secs ; authd id: 6730648317623110506

 

0 Likes Likes
10 REPLIES 10

GeorgiosFakis
L3 Networker

‎09-16-2019 08:40 AM

It seems that cannot find a server in auth GP-VPN-AUTH so go there to see what you have stated and then go to server profile to see if the profile has any IP .

0 Likes Likes

jdelio
L7 Applicator
In response to GeorgiosFakis

‎02-10-2021 01:19 PM

Just wanted to let everyone know that if they are having any GlobalProtect issues, and need to troubleshoot the issue, our Very own @kiwi has written a great blog all about troubleshooting GlobalProtect.

Be sure to check it out here: 
https://live.paloaltonetworks.com/t5/blogs/dotw-globalprotect-troubleshooting-tips/ba-p/383911

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
0 Likes Likes

DKumarP
L0 Member
In response to GeorgiosFakis

‎10-18-2022 02:49 AM

Hi Team,

 

We are also facing the same issue when we connect GP VPN getting error " the network connection is unreachable or the gateway is unresponsive"

 

Also we could see below logs from authd.logs 

 

2022-10-18 06:35:00.535 +0000 debug: _get_payload(pan_authd_saml_internal.c:1064): b64 decoded payload length=5318.
2022-10-18 06:35:00.536 +0000 Received SAML Assertion from 'https://sts.windows.net/656793e6-d51d-4bb2-b5fa-c66ddd181a40/' from client '103.74.16.247'
2022-10-18 06:35:00.536 +0000 debug: _parse_sso_response(pan_authd_saml.c:1443): SAML SSO response from "https://sts.windows.net/656793e6-d51d-4bb2-b5fa-c66d dd181a40/" has no username attribute
2022-10-18 06:35:00.536 +0000 debug: _parse_sso_response(pan_authd_saml.c:1446): SAML SSO response from "https://sts.windows.net/656793e6-d51d-4bb2-b5fa-c66d dd181a40/": Use saml:Subject NameID "exthassa@pandora.net" as username
1666074900 INFO OpenSAML.Utility.SAMLSign : successful signature verification
2022-10-18 06:35:00.546 +0000 debug: _has_valid_signature(pan_authd_saml_internal.c:1522): Succeed to verify signature against certificate of IdP "https://st s.windows.net/656793e6-d51d-4bb2-b5fa-c66ddd181a40/"
2022-10-18 06:35:00.546 +0000 SAML Assertion: signature is validated against IdP certificate (subject 'crt.SAML Profile for GP.shared') for user 'exthassa@pa ndora.net'
2022-10-18 06:35:00.548 +0000 2022-10-18 06:35:00.548 +0000 debug: pan_auth_saml_resp_process(pan_auth_state_engine.c:5393): debug: pan_auth_cache_user_is_al lowed(pan_auth_cache_allowlist_n_grp.c:569): Check allow list status for exthassa@pandora.net (Authentication_Profile_SAML_GP/vsys1)
This is a single vsys platform, group check for allow list is performed on "vsys1"
2022-10-18 06:35:00.548 +0000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for Authentication_Profile_SAML_GP-vsys1 -mfa
99%

0 Likes Likes

UtkarshKumar
L3 Networker

‎12-12-2022 01:54 PM

Is there any recommendation for this post? We are running into same error for 10.2.3 after firewall upgrade. 

0 Likes Likes

Karuppu
L2 Linker

‎03-24-2024 10:57 PM

Hi Team,

 

Good Morning !

We are also facing same issue ,do we have any solution for this issue?

0 Likes Likes

RakeshV
L0 Member

‎03-25-2024 04:03 AM

Can you check if you are connected to LDAP. Also check the authd.log

 

0 Likes Likes

Karuppu
L2 Linker

‎03-25-2024 04:07 AM

Hi Team,

 

yes ,i have checked the Authd.log which was showing the Authentication server could not find the aftersome time Authentication server connected after that its started working 

0 Likes Likes

RakeshV
L0 Member

‎03-25-2024 04:09 AM

Can you please share the Authd.logs 

 

0 Likes Likes

RakeshV
L0 Member

‎03-25-2024 04:11 AM

I believe this is the log can you please check same in useridd.log 
could not find auth server id vector for Authentication Profile

 

Karuppu
L2 Linker

‎03-29-2024 11:58 AM

Hi Rakesh ,

 

Thank you for your suggestions

0 Likes Likes
  • 9041 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks