Global Protect gateway is unresponsive

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect gateway is unresponsive

L3 Networker

I have a GP user complaining about his GP sessions getting dropped. He's using certificate auth autovpn. The full error is 

 

[Error]: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect. 

Network discovery started.

 

Now while that is going on, I see in Monitor/Global protect at that time is repeated messages of the client in pre-login

before-login status and no IP address yet assigned. What is likely going on? Any other logs to review?

 

TypeGenerate TimeEvent IDStageSource UserSource RegionPublic IPPublic IPv6Private IPPrivate IPv6Client Version
GLOBALPROTECT2/14/2022 4:45gateway-preloginbefore-loginACME-67321211157US200.33.22.1300.0.0.00.0.0.00.0.0.05.2.5
GLOBALPROTECT2/14/2022 4:44gateway-preloginbefore-loginACME-67321211157US200.33.22.1300.0.0.00.0.0.00.0.0.0

5.2.5

 

 

 

Client OSClient OS VersionRepeat CountStatusLogin DurationError CodePortalSequence NumberAction FlagsHigh Res TimestampSelection TypeResponse Time
WindowsMicrosoft Windows 10 Enterprise , 64-bit1success00GP_Gateway276045180x02022-02-14T04:45:07.499-08:00
WindowsMicrosoft Windows 10 Enterprise , 64-bit1success00GP_Gateway276044770x02022-02-14T04:44:35.386-08:00
8 REPLIES 8

L2 Linker

Hi @palomed ,

 

We're having a similar issue, just using standard authentication, not certificates.  Were you able to get a resolution for the issue?  Thanks.

 

Matt

Hi. We've had a lot of progress since then. One issue was upgrading to a more recent GP client. 5.2.12 

has been less problematic and worked past a known bug. I'm posting the login event phases you should

see in sequence as I was not clear on that part in February. Not that the get-config is when the address

is assigned. Also are you pulling down the GP client debugs? They have a lot of into including 

ipconfig /all, netstat -rn, GP events. I wish there was a way we could get that data without bothering

the user about it. But if you can get them to send it it's pretty insightful.

 

MichaelMedwid_0-1666800332359.png

 

For affected users, the only event we're seeing in the GP log on the firewall is portal-prelogin.  I've looked at the pangps.log from an affected client and it wasn't really helpful.  We've tried a few different GP versions, including the latest 6.1.0, and full uninstall/reboot/install.

 

Based on this thread, I'm thinking it might actually be a Windows update issue, but we haven't gotten to testing either uninstalling the October CU or installing the out-of-band patch noted there.  Thanks.

 

Matt

Perhaps the the pan_gp_event log.would be more helpful? That's my go-to.

L2 Linker

I looked at that too, but it's just 2 generic errors that aren't helpful.  One says "No Network Connectivity" but that's definitely not correct because the users can do everything else on their computers, 90% of which is online.

L3 Networker

And just to confirm - Networking/Portals/(portal)/Agent/Configs/External is good for the DNS name or IP address? 

And there's no chance users are connected to a legacy VPN nor in a branch office when trying to connect to GP? I had more than 

one try to connect while on legacy VPN or from a branch office. Later added Internal host detection in tab Internal. 

Yeah, we've been using GP for years and haven't changed the DNS name since we started.  The IP hasn't been changed for at least 2 years.  We have over 100 users connected right now.

 

The users are remote; we don't have any other VPNs we use and I doubt the users would know how to make their own 😂.

 

I just added the internal host detection today (as a potential fix to an unrelated cursor-changing-focus issue), but that's not going to do anything for remote users.

Good luck! I think at this point I'd bring in TAC and let them sort it out. 

  • 24258 Views
  • 8 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!