Internal host detection issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Internal host detection issue

L2 Linker

Hello, 

Current setup is a 440 running 10.1.10-h2.

Global Protect version is 6.1.2

 

I have double and triple checked that it's not a reverse dns issue, following this article:

GlobalProtect app fails to detect Internal Network with Interna... - Knowledge Base - Palo Alto Netw...


global protect tries to connect internally to the vpn it fails with this error "The network connection is unreachable, or the portable is unresponsive. check the network connection and reconnect."

 

We have no internal Gateway configured.

 

Thanks!

 

The PanGPS.log snippet:

Spoiler
P11368-T10824)Debug(3062): 10/19/23 10:39:46:681 Gateway: vpn gateway, client IP: 10.51.10.30
(P11368-T10824)Debug(2616): 10/19/23 10:39:46:684 retrieve info of gateway vpn gateway
(P11368-T10824)Debug(2402): 10/19/23 10:39:46:684 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit).
(P11368-T10824)Debug(2370): 10/19/23 10:39:46:684 open http session. agent is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit)
(P11368-T10824)Debug(2402): 10/19/23 10:39:46:684 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit).
(P11368-T10824)Debug( 469): 10/19/23 10:39:46:685 winhttp SetSecureProtocol, hSession=06412540, bAllProtocol=0, gbFips=0
(P11368-T10824)Debug(2627): 10/19/23 10:39:46:685 Skip setting proxy for creating tunnel to gateway vpn.dpwt.com
(P11368-T10824)Debug(3537): 10/19/23 10:39:46:685 m_msp->IsInPreserveTunnel() 0, m_msp->IsPrelogonRenameAuthFail() 0
(P11368-T10824)Debug(14428): 10/19/23 10:39:46:685 Set m_bPrelogonRenameAuthFail to 0
(P11368-T10824)Debug(3567): 10/19/23 10:39:46:685 CPanGateway::RetrieveGatewayInfo portal default-browser value is 0, support yes
(P11368-T10824)Debug(3582): 10/19/23 10:39:46:685 ----Gateway Pre-login starts----
(P11368-T10824)Debug(11821): 10/19/23 10:39:46:685 Check cert of server vpn
(P11368-T10824)Debug(11836): 10/19/23 10:39:46:686 File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(P11368-T10824)Debug( 931): 10/19/23 10:39:46:686 SSL connecting to VPN IP
(P11368-T10824)Debug( 564): 10/19/23 10:39:46:692 Network is reachable
(P11368-T23104)Debug(2402): 10/19/23 10:39:48:687 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit).
(P11368-T23104)Debug( 564): 10/19/23 10:39:48:691 Network is reachable
(P11368-T23104)Debug( 149): 10/19/23 10:39:48:715 CPD, pan_http_captive_portal_detection: status is 200
(P11368-T23104)Debug( 162): 10/19/23 10:39:48:715 CPD, pan_http_captive_portal_detection() - captive portal isn't detected against server.
(P11368-T23104)Debug(5615): 10/19/23 10:39:48:715 CPD, index=0, iRet=-1, lastError=0
(P11368-T23104)Debug(5633): 10/19/23 10:39:48:715 CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 200
(P11368-T23104)Debug(2402): 10/19/23 10:39:48:715 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit).
(P11368-T23104)Debug( 564): 10/19/23 10:39:48:722 Network is reachable
(P11368-T23104)Debug( 149): 10/19/23 10:39:48:735 CPD, pan_http_captive_portal_detection: status is 204
(P11368-T23104)Debug( 155): 10/19/23 10:39:48:735 CPD, no matching string
(P11368-T23104)Debug(5615): 10/19/23 10:39:48:735 CPD, index=1, iRet=-1, lastError=-1
(P11368-T23104)Debug(5633): 10/19/23 10:39:48:735 CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 204
(P11368-T23104)Debug(2402): 10/19/23 10:39:48:735 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.2-83 (Microsoft Windows 10 Enterprise , 64-bit).
(P11368-T23104)Debug( 564): 10/19/23 10:39:48:753 Network is reachable
(P11368-T23104)Debug( 149): 10/19/23 10:39:48:764 CPD, pan_http_captive_portal_detection: status is 200
(P11368-T23104)Debug( 162): 10/19/23 10:39:48:764 CPD, pan_http_captive_portal_detection() - captive portal isn't detected against server.
(P11368-T23104)Debug(5615): 10/19/23 10:39:48:764 CPD, index=2, iRet=-1, lastError=-1
(P11368-T23104)Debug(5633): 10/19/23 10:39:48:764 CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 200
(P11368-T23104)Debug(5823): 10/19/23 10:39:48:764 CaptivePortalDetectionThread: Didn't detect captive portal currently, and bCaptivePortalDetectedOnce=(0).
(P11368-T23104)Debug(5702): 10/19/23 10:39:48:764 CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(P11368-T10824)Debug( 104): 10/19/23 10:39:51:728 connect failed with 5 seconds timeout.
(P11368-T10824)Debug( 626): 10/19/23 10:39:51:728 Failed to connect to vpn on 443 with return value -1 and socket error 0(0)
(P11368-T10824)Debug( 936): 10/19/23 10:39:51:728 do_tcp_connect() failed
(P11368-T10824)Error(11868): 10/19/23 10:39:51:728 ConnectSSL: Failed to connect to '208.76.117.6:443'. Disconnect ssl.
(P11368-T10824)Debug(11881): 10/19/23 10:39:51:728 Cannot get server cert of 208.76.117.6
(P11368-T10824)Debug(6411): 10/19/23 10:39:51:728 Already tried both ipv4 and ipv6 for gateway vpn
(P11368-T10824)Debug(6422): 10/19/23 10:39:51:728 pretunnel latency (manual gateway) is 1
(P11368-T10824)Error(3633): 10/19/23 10:39:51:728 Failed to connect to gateway vpn domain.
(P11368-T10824)Debug(5756): 10/19/23 10:39:51:728 Show Gateway vpn: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
(P11368-T10824)Info (2672): 10/19/23 10:39:51:728 Failed to retrieve info for gateway vpn.
(P11368-T10824)Debug(2683): 10/19/23 10:39:51:728 tunnel to vpn is not created.
(P11368-T14704)Debug(2537): 10/19/23 10:39:51:728 Setting debug level to 5
(P11368-T10824)Error(6354): 10/19/23 10:39:51:728 NetworkDiscoverThread: failed to discover external network.
(P11368-T10824)Debug(7417): 10/19/23 10:39:51:728 --Set state to Disconnected
(P11368-T10824)Debug(6418): 10/19/23 10:39:51:728 NetworkDiscoverThread: PortalStatus is 2, HasLoggedOnGateway is 0
(P11368-T10824)Debug(6420): 10/19/23 10:39:51:728 NetworkDiscoverThread: ((PORTAL_CACHED_CONFIG == m_nPortalStatus) && !m_bHasLoggedOnGateway)
(P11368-T10824)Debug(6441): 10/19/23 10:39:51:728 Network discovery is not ready, set GP VPN status as disconnected
(P11368-T10824)Debug(11990): 10/19/23 10:39:51:728 SetVpnStatus called with new status=0, Previous Status=0
(P11368-T10824)Debug(4376): 10/19/23 10:39:51:728 UpdatePrelogonStateForSSO() - tunnel state = Disconnected
(P11368-T10196)Debug( 329): 10/19/23 10:39:55:648 PanGpHipMp.exe exit for checking misssing patches.
(P11368-T10196)Debug( 393): 10/19/23 10:39:55:648 CheckHipMissingPatchInOtherProcess(): exits.
(P11368-T10196)Debug( 471): 10/19/23 10:39:55:648 Hip missing patch checking duration is 9
(P11368-T10824)Debug(6529): 10/19/23 10:39:56:741 NetworkDiscoverThread: Network discover is not successful. Retry.
(P11368-T10824)Info (6547): 10/19/23 10:39:56:741 OnDemand mode, skip retry network discovery.
(P11368-T10824)Debug(5946): 10/19/23 10:39:56:741 NetworkDiscoverThread: wait for network discover event.

 

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @MNoble ,

 

If you do not have an internal gateway configured, then you are not using Internal Host Detection.  This is most likely your issue -> https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000Cm65.

 

Do you want your internal users to build an SSL or IPsec tunnel to the NGFW?  If not, configure an internal gateway with Tunnel Mode unchecked and configure Internal Host Detection.  Then you can use GP for User-ID only.

 

If you do want to build the tunnel, then create the NAT rule as described in the document so the traffic to the portal/gateway is not NATed.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thanks for your reply @TomYoung 

My goal is for always on clients to be able to detect when on internal network but not connect to ssl/ipsec tunnel.  my current situation is GP keeps trying to connect and showing an error.

So, an internal gateway is required in order for a global protect client to detect it's on an internal network? 

 

Thanks

 

Cyber Elite
Cyber Elite

Hi @MNoble ,

 

Looking at this doc, I guess it is not required!  https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways  So, yes, you would configure Internal Host Detection.  The internal gateway is optional.

 

I have seen other docs that say if the Internal Host Detection check is successful, the GP client will connect to an internal gateway.  I always thought it was required.

 

Regardless, it sounds like you need to fix your connection to the portal.  See the URL in my 1st post to resolve that issue.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Sorry for the late reply,

I'm going to open up a ticket with support on this to get confirmation.

 

Thanks

  • 1766 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!