Global Protect Internal Gateway "Not Connected"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect Internal Gateway "Not Connected"

L0 Member

I have a PA-440 running 10.2.3-h4.  I have a working external GlobalProtect gateway and created an internal gateway.  I have enabled "Internal Host Detection" added the internal gateway information to the config of the portal.  After trying to connect, the main GlobalProtect screen shows "Not Connected" with "Select the portal to connect and secure access to your applications and the internet.", however, the "Settings" screen shows "Connected - Internal".  I do not see any user information in the firewalls for this client connection, however the GlobalProtect logs show successful authenication.  Any idea why this would be happening?

1 accepted solution

Accepted Solutions

Hi @jwalls ,

The logs you have provided shows that client is connecting and authenticating to the portal, but no logs from the internal gateway. You should see successfull authentication from internal gatway if connection is successful.

 

Have you checked if traffic is allowed? Traffic from GP client to GP portal/gateway is also passing the policy. In general the default intra-zone rule would allow this (inside user to inside interface), but I would suggest you to first start by confirming that FW is allowing the traffic to the internal gateway.

- Check traffic logs filtering by the internal gateway IP

 

From the client screenshots it looks like the internal host detection is working fine, but to confirm you can check GP logs.

- Check the logs "PanGPS.log" and "pan_gp_events.log". Here are some resources that might help you:

https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClUk

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS

 

Last episode of PANCast by @jarena  can also help you - https://live.paloaltonetworks.com/t5/pancast/pancast-episode-17-globalprotect-connections-and-troubl...

 

View solution in original post

2 REPLIES 2

Hi @jwalls ,

The logs you have provided shows that client is connecting and authenticating to the portal, but no logs from the internal gateway. You should see successfull authentication from internal gatway if connection is successful.

 

Have you checked if traffic is allowed? Traffic from GP client to GP portal/gateway is also passing the policy. In general the default intra-zone rule would allow this (inside user to inside interface), but I would suggest you to first start by confirming that FW is allowing the traffic to the internal gateway.

- Check traffic logs filtering by the internal gateway IP

 

From the client screenshots it looks like the internal host detection is working fine, but to confirm you can check GP logs.

- Check the logs "PanGPS.log" and "pan_gp_events.log". Here are some resources that might help you:

https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClUk

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS

 

Last episode of PANCast by @jarena  can also help you - https://live.paloaltonetworks.com/t5/pancast/pancast-episode-17-globalprotect-connections-and-troubl...

 

Thanks!  I dug into those logs a little deeper an saw: P1370-T31867 05/23/2023 14:34:24:869 Error(3312): Received DNS reverse lookup response error -65554

My Reverse DNS was not working properly for my internal gateway. Once I corrected that it is working perfect!

  • 1 accepted solution
  • 2229 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!