- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-18-2024 07:51 AM
Unable to connect to one of our global protect gateways. Debug log of PanGPS attached with its attempt to connect to the gateway. I have checked all the gateway settings, and they match the working gateway, so I am at a loss on what to look for. The working Gateway is on a HA pair of 5220 in active/passive mode, and the non working gateway is on a HA pair of 3420 in active/passive mode.
(P4512-T18044)Debug(5680): 10/18/24 09:30:16:912 getaddrinfo host.GetString() <correct external ip>
(P4512-T18044)Debug(5804): 10/18/24 09:30:16:951 Gateway <correct external ip>(<correct external ip>): ipv4 <correct external ip>, ipv6 , FQDN yes
(P4512-T18044)Debug(4987): 10/18/24 09:30:16:951 Reset saml auth status for manual gateway
(P4512-T18044)Debug(4992): 10/18/24 09:30:16:951 dwRemoteHost is 0 for gateway <correct external ip>. Retrieve client ip.
(P4512-T18044)Debug(3106): 10/18/24 09:30:16:951 Gateway: <correct external ip>, client IP: 172.22.145.27
(P4512-T18044)Debug(7993): 10/18/24 09:30:16:951 --Set state to Connecting...
(P4512-T18044)Debug(2645): 10/18/24 09:30:16:951 retrieve info of gateway <correct external ip>
(P4512-T18044)Debug(2410): 10/18/24 09:30:16:951 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.2.2-259 (Microsoft Windows 10 Enterprise , 64-bit).
(P4512-T18044)Debug(2468): 10/18/24 09:30:16:951 open http session. agent is PAN GlobalProtect/6.2.2-259 (Microsoft Windows 10 Enterprise , 64-bit)
(P4512-T18044)Debug(2410): 10/18/24 09:30:16:951 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.2.2-259 (Microsoft Windows 10 Enterprise , 64-bit).
(P4512-T18044)Debug( 476): 10/18/24 09:30:16:956 winhttp SetSecureProtocol, hSession=f7b78da0, bAllProtocol=0, gbFips=0
(P4512-T18044)Debug(2656): 10/18/24 09:30:16:956 Skip setting proxy for creating tunnel to gateway <correct external ip>
(P4512-T18044)Debug(3599): 10/18/24 09:30:16:956 m_msp->IsInPreserveTunnel() 0, m_msp->IsPrelogonRenameAuthFail() 0
(P4512-T18044)Debug(16119): 10/18/24 09:30:16:956 Set m_bPrelogonRenameAuthFail to 0
(P4512-T18044)Debug(3629): 10/18/24 09:30:16:956 CPanGateway::RetrieveGatewayInfo portal default-browser value is 0, support yes
(P4512-T18044)Debug(3644): 10/18/24 09:30:16:956 ----Gateway Pre-login starts----
(P4512-T18044)Debug(13355): 10/18/24 09:30:16:956 Check cert of server <correct external ip>
(P4512-T18044)Debug(13370): 10/18/24 09:30:16:956 File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(P4512-T18044)Debug( 931): 10/18/24 09:30:16:956 SSL connecting to <correct external ip>
(P4512-T18044)Debug( 571): 10/18/24 09:30:16:960 Network is reachable
(P4512-T18044)Debug( 104): 10/18/24 09:30:21:989 connect failed with 5 seconds timeout.
(P4512-T18044)Debug( 626): 10/18/24 09:30:21:989 Failed to connect to <correct external ip> on 443 with return value -1 and socket error 0(0)
(P4512-T18044)Debug( 936): 10/18/24 09:30:21:989 do_tcp_connect() failed
(P4512-T18044)Error(13402): 10/18/24 09:30:21:989 ConnectSSL: Failed to connect to '<correct external ip>:443'. Disconnect ssl.
(P4512-T18044)Debug(13415): 10/18/24 09:30:21:989 Cannot get server cert of <correct external ip>
(P4512-T18044)Debug(6518): 10/18/24 09:30:21:989 Already tried both ipv4 and ipv6 for gateway <correct external ip>
(P4512-T18044)Debug(6529): 10/18/24 09:30:21:989 pretunnel latency (manual gateway) is 1
(P4512-T18044)Error(3695): 10/18/24 09:30:21:989 Failed to connect to gateway <correct external ip>.
(P4512-T18044)Debug(5837): 10/18/24 09:30:21:989 pg, error message for manual select gateway will not show.
(P4512-T18044)Debug(5851): 10/18/24 09:30:21:989 Show Gateway <correct external ip>: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
10-23-2024 08:17 AM
Hi @M.Caudle ,
It looks like the issue might be the SSL cert. The log shows, “Cannot get server cert,” I’d recommend double-checking that the SSL/TLS certificate on the non-working gateway is set up properly and matches the one on your working gateway. Also, make sure the certificate chain is complete and trusted by the client.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!