Internal host detection not working

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Internal host detection not working

L5 Sessionator

Anyone have anything to look at for getting Internal Host Detection to work? I have been tearing my hair out for several days tying to figure out why the GP client will occasionally detect internal, but mostly defaults back to requiring a VPN login.


The setup is a new Wifi SSID (with corporate cert login) that is to be an internal network. Our GP clients are configured for User-Login (Always On) and connected from home or the corporate general Wifi (different SSID). I have setup the Internal Host Detection, PC can connect to the new Wifi just fine and query the DNS records without issue - rDNS name matches Hostname. The first time a PC connects to the new Wifi the GP client detects it is on the internal network and allows connection as expected. After logging out/switching to a different network that requires VPN connection, and then switching back, the GP client will no longer detect it is on the internal network again.


Looking in the PanGPS.log, there are DNSQuery = 9003 errors when off network (as expected). When on the new Wifi there are no DNSQuery entries in the logs and no indication the GP client is attempting to do rDNS.


Things looked at/fixed already but didn't change behavior:

  • verified rDNS entry, resolvable on command line when internal, fixed case as I found a note saying it is case sensitive but it was intermittently working before changing as well
  • limited DNS servers, DHCP previously returned 3 DNS servers but the GP client only allows traffic to 2
  • changed to a completely different internal host for detection
  • changed automatic restoration of VPN timeout to 0min

L5 Sessionator

Some more testing has revealed an odd pattern:

1) Laptop not currently connected to any network, first ever attempt to connect to new Wifi-Internal:

Connects to Wifi-Internal with cert, gets DHCP, GP client recognizes internal host, switches to Connected-Internal. Can disconnect/reconnect to Wifi-Internal and works correctly.


2) Reboot laptop, or take laptop home and connect via normal VPN, bring laptop back to office and try to connect to Wifi-Internal:

Connects to Wifi-Internal with cert, gets DHCP, GP client does not recognize internal host, prompts for VPN login.


3) Connect laptop to Wifi-Public, connect to VPN, switch from Wifi-Public to Wifi-Internal without logging out/disconnecting from VPN:

Connects to Wifi-Internal with cert, gets DHCP, GP client recognizes internal host, switches to Connected-Internal.


4) Connect laptop to Wifi-Public, connect to VPN, disconnect from VPN, switch from Wifi-Public to Wifi-Internal:

Connects to Wifi-Internal with cert, gets DHCP, GP client does not recognize internal host, prompts for VPN login.



L5 Sessionator

Bump... Still fighting with this, detection is still very sporadic. If you are currently connected to the VPN and switch to the internal network (switch Wifi networks, suspend laptop offsite and come onsite and connect the internal network, etc.) then it auto-detects and goes to internal mode. But if you disconnect from the VPN (disconnect, select a different portal, reboot PC, etc.) and then join the internal network, it will sit forever at the VPN auth prompt.


PanGPS logs show no indication of DnsQuery happening on internal network and packet dumps show lots of DNS traffic, but not the host detection query (I can manually query DNS successfully from the internal network). 

L5 Sessionator

So... This is sill working intermittently. We have found that if you explicitly login to the Portal first, the GP Client will do the internal host detection and show "Connected - Internal". However if join the internal network after a power off/reboot, or some time away on the external gateway, the GP Client will usually not do an internal host detection.


PA support is now telling us that you have to log into the Portal every time, before the GP Client will do internal host detection. Is this right? You have to be connected to the Portal before the client will even attempt to determine if it is on an internal network? What is the point of having an internal network detection then, if you have to login anyways?


Logging into the Portal first is a problem for us, and a challenge for end users to move from network to network, as we require a full MFA login and there are places in the building where cell coverage does not work...

Yes this is the correct behaviour. 
Internal host detection was originally added to determine whether internal or external gateways should be used but has become a convenient way to prevent external gateway connection when connected to the corp lan (By not actually entering any internal gateways). Could you not use cert auth to the portal and MFA to GW when prompted… or select your current app config to “on demand”.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!