Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

RHEL 8: Cannot connect to local gpd service

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

RHEL 8: Cannot connect to local gpd service

L1 Bithead

RHEL 8.9

GlobalProtect_UI_focal_rpm-6.1.4.0-711.rpm

 

Any "globalprotect" command on the command line returns:

Cannot connect to local gpd service.

 

The PanGPA "service" exits very quickly.

 

Any suggestions ?

8 REPLIES 8

Community Team Member

Hi @D.White003479 ,

 

RH 8.9 is not listed on the compatibility matrix. 

Guess it's not (yet) supported:

https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/where-can-i-install-the-globalp...

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

It is not explicitly listed, but then neither is 8.2, 8.5, 8.6, or 8.8

Sorry, not helpful.

Community Team Member

Hi @D.White003479 ,

 

Sounds like PanGPA isn't actually running anymore.  Can you confirm ?

 

 

$ ps -ef | grep -i pangpa

 

 

 

If not, can you try this to start PanGPA manually and see if that works ?:

 

 

$ source /etc/profile.d/PanMSInit.sh (might be located in another path ... not sure about that).

 

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

The file /etc/profile.d/PanMSInit.sh contains: 

#!/bin/bash
PANGPA=/opt/paloaltonetworks/globalprotect/PanGPA
pgrep -u $USER PanGPA > /dev/null 2>&1
if [ $? -ne 0 ]; then
if [ -f $PANGPA ]; then
$PANGPA start &
fi
fi

That binary exits only a few seconds after running it.

Is there any known way to debug this ?

Community Team Member

Hi @D.White003479 ,

 

Seems like the script isn't being initialised by the correct user.

 

Can you check if the user table actually shows your logged in user ?

 

> who -u

 

Make sure to run globalprotect as the same user running PanGPA.

 

Similar issue discussed here: 

https://live.paloaltonetworks.com/t5/general-topics/globalprotect-cannot-connect-to-local-gpd-servic...

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

PanGPA will not stay running.

Why ?

 

 

Community Team Member

Hi @D.White003479 ,

 

You might get more information increasing to debug log level and checking the panGPA.log file.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

The Linux client comes with no instructions or documentation.

How do I set the logging level ?

From a fresh reboot, I tried running the following commands:

globalprotect launch-ui
globalprotect

I also ran

/opt/paloaltonetworks/globalprotect/PanGPA start &

a few times.  The quick response each time was

[1]+ Done /opt/paloaltonetworks/globalprotect/PanGPA start

and my process table:

$ ps -ef | grep global
root 1151 1 0 17:38 ? 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPS
<userid> 2547 2231 0 17:40 tty2 00:00:00 dbus-run-session /opt/paloaltonetworks/globalprotect/PanGPUI
<userid> 2568 2547 0 17:40 tty2 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPUI

Now for the log files:

From my home directory:

$ cat .GlobalProtect/PanGPI.log 
P3029-T1837705024 02/28/2024 17:45:46:522 Info ( 226): ##############Run GPI into direct mode.##############
P3029-T1817569024 02/28/2024 17:45:46:522 Info ( 687): debug thread starts
chmod: cannot access '/*.log': No such file or directory
P3029-T1837705024 02/28/2024 17:45:46:523 Error( 80): CPanMsgQueue::create - failed to open message queue. error = 2
P3029-T1837705024 02/28/2024 17:45:46:523 Error( 50): ConnectToGPA fail with error 2.
P3029-T1817569024 02/28/2024 17:45:47:524 Info ( 693): debug thread ends
P3035-T-620284096 02/28/2024 17:45:54:501 Info ( 212): ##############Run GPI into prompt mode.##############
P3035-T-640420096 02/28/2024 17:45:54:501 Info ( 687): debug thread starts
chmod: cannot access '/*.log': No such file or directory
P3035-T-620284096 02/28/2024 17:45:54:501 Error( 80): CPanMsgQueue::create - failed to open message queue. error = 2
P3035-T-620284096 02/28/2024 17:45:54:501 Error( 50): ConnectToGPA fail with error 2.
P3035-T-640420096 02/28/2024 17:45:55:501 Info ( 693): debug thread ends

and


$ cat .GlobalProtect/PanGPUI.log
P2568-T1132455680 02/28/2024 17:40:06:094 Info ( 687): debug thread starts
P2568-T2009580416 02/28/2024 17:43:07:303 Error( 89): Socket unable to connect to PanGPA
P2568-T2009580416 02/28/2024 17:43:07:303 Info ( 90): Retrying connection to PanGPA. Number of retries: 181

What is it trying to access to run a "chmod" on ?

Why am I getting "failed to open message queue" ?

 

and from /opt/paloaltonetworks:

$ cat /opt/paloaltonetworks/globalprotect/pan_gp_event.log
02/28/2024 17:38:43:863 [Info ]: GlobalProtect service started (client version: 6.1.4-711, OS version: Linux Red Hat Enterprise Linux 8.9).

and finally

$ cat /opt/paloaltonetworks/globalprotect/PanGPS.log
P1151-T733546304 02/28/2024 17:38:43:528 Debug( 336): PanGPS, working directory is /opt/paloaltonetworks/globalprotect/
P1151-T733546304 02/28/2024 17:38:43:529 Info ( 539): ####################### Start PanGPS service (ver: 6.1.4-711) #######################
P1151-T733546304 02/28/2024 17:38:43:529 Info ( 540): Debug level is 5, log path is /opt/paloaltonetworks/globalprotect/
P1151-T733546304 02/28/2024 17:38:43:530 Info ( 541): User is (null), home is /root, login is (null)
P1151-T733546304 02/28/2024 17:38:43:530 Info ( 150): Predeployed log-path-service is not set
P1151-T733546304 02/28/2024 17:38:43:530 Info ( 439): Get OS info: Red Hat Enterprise Linux 8.9
P1151-T733546304 02/28/2024 17:38:43:536 Debug( 464): Serial number is VMware-<redacted>
P1151-T733546304 02/28/2024 17:38:43:536 Debug( 107): IsDaemon is 1
P1151-T733546304 02/28/2024 17:38:43:541 Info ( 121): PrelogonEnabled is 0
P1151-T733546304 02/28/2024 17:38:43:541 Info ( 504): cannot open /var/run/PanGPS.pid, assume no old instance running
P1151-T711235328 02/28/2024 17:38:43:541 Info ( 687): debug thread starts
P1151-T733546304 02/28/2024 17:38:43:548 Debug( 285): stopping split tunnel feature!
P1151-T733546304 02/28/2024 17:38:43:548 Debug( 27): split tunnel script dir /opt/paloaltonetworks/globalprotect/network/config
P1151-T733546304 02/28/2024 17:38:43:551 Debug( 397): Uninstalling iptables DNS chain...
P1151-T733546304 02/28/2024 17:38:43:630 Debug( 27): split tunnel script dir /opt/paloaltonetworks/globalprotect/network/config
P1151-T733546304 02/28/2024 17:38:43:630 Debug( 459): Uninstalling iptables Split Tunnel chain & routing tables...
P1151-T733546304 02/28/2024 17:38:43:773 Debug( 306): split tunnel stopped!
P1151-T733546304 02/28/2024 17:38:43:773 Debug( 61): psv init called
P1151-T733546304 02/28/2024 17:38:43:833 Info (2458): CPanMSServiceLinux::findJoinDomain: szDomainName is : <DOMAIN>
P1151-T733546304 02/28/2024 17:38:43:833 Debug( 69): PanMSServiceLinux:ctor: m_szJoinDomain <DOMAIN>, m_szJoinDomainRaw <DOMAIN>
P1151-T733546304 02/28/2024 17:38:43:833 Debug( 72): PanMSServiceLinux:ctor: m_domainName <DOMAIN>, m_domainNameRaw <DOMAIN>
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 683): Service-only is no
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 735): Kerberos auth, stopOnKerberosFail=0()
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 740): Prefer ipv6 is yes.
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 763): CPanMSService::Init connect timeout 5, received timeout 30, portal timeout 5
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 800): CPanMSService::Init fips: fipsc-cc-mode-enabled
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 810): CPanMSService::Init enable-fips-cc-mode
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 821): CPanMSService::Init fips: m_bFipsModeRequired 0
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 238): GetValueBinary size 6
P1151-T733546304 02/28/2024 17:38:43:839 Debug( 899): Mac address is <00-00-00-00-00-00 redacted>
P1151-T733546304 02/28/2024 17:38:43:839 Debug(2402): pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.1.4-711 (Linux Red Hat Enterprise Linux 8.9).
P1151-T733546304 02/28/2024 17:38:43:839 Info (10860): CheckPrelogon: Portal is , PrelogonEnabled is no
P1151-T733546304 02/28/2024 17:38:43:861 Debug( 949): override-cc-username is no
P1151-T733546304 02/28/2024 17:38:43:862 Debug(5123): event log file is /opt/paloaltonetworks/globalprotect//pan_gp_event.log
P1151-T733546304 02/28/2024 17:38:43:863 Debug( 959): Event log thread started
P1151-T702842624 02/28/2024 17:38:43:863 Debug(5092): event log thread started.
P1151-T733546304 02/28/2024 17:38:43:863 Debug( 167): Time zone GMT offset is 0
P1151-T733546304 02/28/2024 17:38:43:865 Info (10749): Portal config does not exist, try registry/plist
P1151-T733546304 02/28/2024 17:38:43:865 Debug( 354): default cert path is /etc/pki/tls/certs
P1151-T733546304 02/28/2024 17:38:43:865 Debug( 379): default private key path is /etc/pki/tls/private
P1151-T733546304 02/28/2024 17:38:43:865 Debug(1485): cfg no client cert.
P1151-T733546304 02/28/2024 17:38:43:865 Debug( 259): DLSA- agent is enable, restore lar during start up
P1151-T733546304 02/28/2024 17:38:43:865 Debug( 261): DLSA- Pan LAR file is /opt/paloaltonetworks/globalprotect/pan_lar.dat
P1151-T733546304 02/28/2024 17:38:43:866 Debug( 266): LAR file does not exist.
P1151-T733546304 02/28/2024 17:38:43:866 Debug( 72): CControlManagerLinux::StartServer() isFipsModeRequired() 0
P1151-T733546304 02/28/2024 17:38:43:866 Debug( 554): Start tunnel driver.
P1151-T733546304 02/28/2024 17:38:43:881 Info ( 114): Service callback table gets set.
P1151-T733546304 02/28/2024 17:38:43:881 Debug( 230): set virtual interface driver started as yes
P1151-T733546304 02/28/2024 17:38:43:881 Debug( 592): Virtual interface is started
P1151-T686057216 02/28/2024 17:38:43:883 Info ( 102): Start ServerThread
P1151-T694449920 02/28/2024 17:38:43:883 Debug( 440): RecvThread started.
P1151-T686057216 02/28/2024 17:38:43:885 Debug( 84): thread StartPanGPAThread is created.
P1151-T686057216 02/28/2024 17:38:43:885 Debug(10886): CPanMSService::StartPrelogonThread DaemonProcess: yes, InPrelogon: no
P1151-T686057216 02/28/2024 17:38:43:885 Debug(13470): Enforcer is not enabled  

 RHEL 8 does not use iptables.

It uses nftables (and firewalld)

What is it trying to do with Kerberos ?

Where should the portal config be and what is the syntax / content ?

 

I have lots more questions and I am still looking for answers, please.

 

  • 1813 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!