GlobalProtect - "Refresh Connection" API call via DLL/etc

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect - "Refresh Connection" API call via DLL/etc

L1 Bithead

Is there an API or any documentation on how to call the GlobalProtect "Refresh Connection" function from external code? I want to be able to call this function from custom external code.  The reason why is to fix a connection issue we are having through automation since we don't want to have to ask users to manually click that option.

 

If no external API call is possible, is there a command-line option to call "Refresh Connection"?

 

Why isn't Global Protect smart enough to call Refresh Connection on its own when an always on VPN connection breaks?  There should be a way to monitor public IP addresses for reachability and automatically refresh the connection if can't access the public IPs...  Our AOVPN breaks frequently when machines go to sleep and wake up, screen is unlocked, etc.

17 REPLIES 17

L7 Applicator

@AAT 

No, GP does not provide an API to automate such things. But the problem you are talking about sounds like a bug of GP. Which version do you use right now?

Latest version.  It has been an issue for us for years on every version and never found a resolution.  Opened various tickets with PA, have one opened now.

 

The GP client needs to be smart enough to refresh the connection itself when it detects lack of network connectivty.  I'm trying to write an app in C++ to get-netadapter -interfacedescription "PANGP*" | restart-netadapter via powershell create process call if a certain public IP address can't be reached, but I shouldn't be needing to go to this level.  The client needs to have this bug fixed.  GP needs to automatically repair itself when Windows wakes from sleep on AOVPN connections / etc.

 

 

L7 Applicator

I have 11 open cases about global protect right now 😛

One of them is about the issue you mentionned. Just wait a little longer...

I will post back here if we get a solution from Palo Alto, please do the same @Remo 

 

This issue has been on going for years and not acceptable for the software to have such an obvious / easily fixable bug last so long.  We shouldn't have to be writing our own code / hacks to fix Palo Alto's VPN client

 

 

L7 Applicator

--> Global Protect 5.0.2

L7 Applicator

@AAT wrote:

This issue has been on going for years and not acceptable for the software to have such an obvious / easily fixable bug last so long.  We shouldn't have to be writing our own code / hacks to fix Palo Alto's VPN client


@AAT 

Then 5.0.2 will be the first release that is acceptable 😉

Hello,

 

Just want to report that we're also seeing this issue and we're running GP version 5.0.4-16

 

This is not mentioned in any of the "known issues" documentation.

 

-Gerson

Hi @mtx-admin 

What exactly is the problem you're seeing? In which situations does it happen exactly? Do you have an always-on config?

@Remo 

 

That's correct. We have always-on VPN. Whenever I or other users work remotely, very randomly some of our services will stop working (Outlook, Internet, etc.)

 

It's like the connection goes "stale" even though we're active on the system. Things come back online after we "Refresh Connection" in the VPN client.

 

We are on GlobalProtect 5.0.5

L1 Bithead

Did this ever get fixed - i have customer who has issues w/ the GP-client not transition the logged-in user from the Prelogon user to the logged-in-user by way of prelogon-always client settings.

Hi @JD-SECD 

The requested solution in this topic probably isn't the solution for your situation. In the past I already hat some issues like yours and in most of the cases (not all) the issue was a configuration problem or then related to an issue with authentication profiles. Why don't you start a new topic where you describe your issue in detail and the used configuration and then maybe the community is able to help you.

L1 Bithead

Hi @Remo , hope you are well. I didn't note a resolution from this thread. Are you able to advise on the bug ID and version of GlobalProtect this issue is fixed? 

L7 Applicator

Hi @beng 

Which issue are you now talking about exactly? The transition from the pre-logon user to the actual user? If yes, then as I wrote 2 months ago, in most cases this is a configuration issue. I assume you use an always on configuration and then what authentication method you you use?

L1 Bithead

Hi @Remo , connect method is Pre-logon (Always On) and authentication method is Azure SAML, using GlobalProtect v5.2.7. 

 

The issue I'm seeing is when a user loses internet, and then regains internet e.g. manually disconnect WiFi, and then connect WiFi.. The Global Protect auto attempt to reconnect continually, however fails with "Gateway <GW_NAME>: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect." The workaround is to manually hit the "Refresh Connection" button.

 

I've verified via Wireshark on my corporate laptop that there is no DNS resolution for vpn.<domain> upon those auto reconnects/failures, but there is DNS resolution for vpn.<domain> upon a manual "Refresh Connection".

 

I've logged a TAC case for this issue and will see how that goes... Out of curiosity, would you class this as expected behavior?

  • 10880 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!