12-22-2022 01:27 PM
Some of my users get the message stating their GlobalProtect client was unable to contact the gateway immediately after authenticating on their Duo MFA app. The interesting part is I have not been able to reduce this down to a machine problem. I have both an iMac and a Windows 10 laptop on my desk here for testing. I can sign into each of these devices with my user account and then successfully connect to the GlobalProtect gateway with my credentials. I can then disconnect from GlobalProtect, and while still signed into those machines with my user account, have the problematic user try to connect to the GlobalProtect, upon which they get the same message about the gateway being unavailable.
The fact that the only thing which has changed in this scenario is which user account is being used in the GlobalProtect client is baffling. I have already opened a case with Palo in the past about this, but they just kept wanting to blame missing updates on the Windows 10 clients. This still has not addresses the above scenario I detailed. The machine and the interactively signed in user profile has not changed.
Both my account and the problem account are members of the Domain Users security group and have their primary group membership set to Domain Users. I am not filtering connections by security group as I have not been able to successfully configure that, so all Active Directory users are allowed to connect at this time. Both my account and the problem account use Duo MFA.
I am at a loss trying to figure out what could possibly cause this problem at the account level. The firewall's GlobalProtect log only shows these 3 entries for the problem user (parsed down for brevity):
Status Stage Event Auth Method
success login portal-auth radius
success login portal-gen-cookie radius
success configuration portal-getconfig radius
12-27-2022 12:59 PM
For further information, I've found these entries from the GPService log on the client machine when the user with the login problem tries connecting:
(P4928-T7320)Debug(3197): 12/22/22 14:12:05:284 GetHttpsResponse error is winhttpObj, error! ipaddress gpportal.msun.edu
bRetryWithoutCert is 0, bClientCertNeeded=0
(P4928-T7320)Debug(9740): 12/22/22 14:12:05:284 Portal config is NULL.
(P4928-T7320)Debug(9742): 12/22/22 14:12:05:284 Portal login issue
(P4928-T7320)Debug(8686): 12/22/22 14:12:05:284 Failed to get portal config from portal gpportal.msun.edu.
Additionally, there are several entries at various times which talk about a failure to read a cached portal configuration file. Again, none of these errors occur when I use my user credentials in the GP Client.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
