This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Connect Before Logon failing to connect to Portal after changing "Enforce VPN" settings

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Connect Before Logon failing to connect to Portal after changing "Enforce VPN" settings

Adrian_Jensen
L6 Presenter

‎10-01-2024 02:07 PM

Is there anyway to easily reset the system-user (before logon) GP settings to restore the initial state? Having an issue testing Connect Before Logon (VPN connection icon on the Windows login screen) where I am hung in a state where the VPN will not work with Enforce VPN set in the Portal config with certificate authentication on the Portal and SAML authentication on the Gateway. It is not even attempting to connect to the Gateway and appears to be having a certificate problem on the Portal.

 

I initially setup Connect Before Logon on a Portal/gateway and a couple test clients. The client could connect to the Portal without issue and would initially connect to the Gateway, but would never SAML auth (Gateway pre-login on the PaloAlto, no logs in the Entra SAML or return to the Gateway with SAML creds). After trying several FQDN bypasses in the Portal app config, I disabled Enforce VPN and everything worked exactly like it should... So definitely something blocked by Enforce VPN.

 

After re-enabling Enforce VPN, now the Connect Before Logon VPN will not connect to the Portal. Wireshark shows it connecting and then sending SSL alerts and closing the connection. It appears to either be rejecting the Portal certificate or failing to provide the client certificate for authentication. The login page shows:

The network is unreachable or the portal is unresponsive. Check the network and reconnect.

The PANGPS.log shows repeated attempts to connect to the Portal with the following error:

Failed to pre-login to the portal xxx.xxx.xxx with return value 0(0).

 

If I log into the client with a local user, then the VPN connects to the Portal and Gateway without issue.

 

If I disable Enforce VPN on the Portal I still can not Connect Before Logon (seems that it can't connect enough to get the new config), but I can login as a local user and establish the VPN. After rebooting the Connect Before Login will then starts connecting correctly, but as soon as I re-enable Enforce VPN it fails to connect to the Portal again.

0 Likes Likes
0 REPLIES 0
  • 468 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks