02-14-2022 12:41 PM
I have a GP user complaining about his GP sessions getting dropped. He's using certificate auth autovpn. The full error is
[Error]: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
Network discovery started.
Now while that is going on, I see in Monitor/Global protect at that time is repeated messages of the client in pre-login
before-login status and no IP address yet assigned. What is likely going on? Any other logs to review?
| Type | Generate Time | Event ID | Stage | Source User | Source Region | Public IP | Public IPv6 | Private IP | Private IPv6 | Client Version |
| GLOBALPROTECT | 2/14/2022 4:45 | gateway-prelogin | before-login | ACME-67321211157 | US | 200.33.22.130 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 5.2.5 |
| GLOBALPROTECT | 2/14/2022 4:44 | gateway-prelogin | before-login | ACME-67321211157 | US | 200.33.22.130 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 5.2.5
|
| Client OS | Client OS Version | Repeat Count | Status | Login Duration | Error Code | Portal | Sequence Number | Action Flags | High Res Timestamp | Selection Type | Response Time |
| Windows | Microsoft Windows 10 Enterprise , 64-bit | 1 | success | 0 | 0 | GP_Gateway | 27604518 | 0x0 | 2022-02-14T04:45:07.499-08:00 | ||
| Windows | Microsoft Windows 10 Enterprise , 64-bit | 1 | success | 0 | 0 | GP_Gateway | 27604477 | 0x0 | 2022-02-14T04:44:35.386-08:00 |
10-26-2022 09:08 AM
Hi. We've had a lot of progress since then. One issue was upgrading to a more recent GP client. 5.2.12
has been less problematic and worked past a known bug. I'm posting the login event phases you should
see in sequence as I was not clear on that part in February. Not that the get-config is when the address
is assigned. Also are you pulling down the GP client debugs? They have a lot of into including
ipconfig /all, netstat -rn, GP events. I wish there was a way we could get that data without bothering
the user about it. But if you can get them to send it it's pretty insightful.
10-26-2022 09:52 AM - edited 10-26-2022 09:53 AM
For affected users, the only event we're seeing in the GP log on the firewall is portal-prelogin. I've looked at the pangps.log from an affected client and it wasn't really helpful. We've tried a few different GP versions, including the latest 6.1.0, and full uninstall/reboot/install.
Based on this thread, I'm thinking it might actually be a Windows update issue, but we haven't gotten to testing either uninstalling the October CU or installing the out-of-band patch noted there. Thanks.
Matt
10-26-2022 09:59 AM
Perhaps the the pan_gp_event log.would be more helpful? That's my go-to.
10-26-2022 10:09 AM
I looked at that too, but it's just 2 generic errors that aren't helpful. One says "No Network Connectivity" but that's definitely not correct because the users can do everything else on their computers, 90% of which is online.
10-26-2022 10:36 AM - edited 10-26-2022 10:36 AM
And just to confirm - Networking/Portals/(portal)/Agent/Configs/External is good for the DNS name or IP address?
And there's no chance users are connected to a legacy VPN nor in a branch office when trying to connect to GP? I had more than
one try to connect while on legacy VPN or from a branch office. Later added Internal host detection in tab Internal.
10-26-2022 11:00 AM
Yeah, we've been using GP for years and haven't changed the DNS name since we started. The IP hasn't been changed for at least 2 years. We have over 100 users connected right now.
The users are remote; we don't have any other VPNs we use and I doubt the users would know how to make their own 😂.
I just added the internal host detection today (as a potential fix to an unrelated cursor-changing-focus issue), but that's not going to do anything for remote users.
10-26-2022 11:34 AM
Good luck! I think at this point I'd bring in TAC and let them sort it out.
04-22-2025 05:49 AM
@n.major I ended up opening a support case and after a month and a half of troubleshooting, they told me that it was a known bug fixed in 10.2.3, which was released a month before I even opened the case. Upgrading to that version resolved the issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
