Unable to connect Global Protect VPN

cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to connect Global Protect VPN

L2 Linker

All our users are able to connect to our PA220 using Global Protect VPN except one. We've tried reinstalling the Global Protect client multiple times and also connected successfully using their account from another computer, but it just refuses to work on his.

20 REPLIES 20

(T13212) 01/12/22 08:51:51:118 Debug(2705): gateway vpn.xxxxxxxxxxxx.com's config is
<response status="success">
<need-tunnel>yes</need-tunnel>
<ssl-tunnel-url>/ssl-tunnel-connect.sslvpn</ssl-tunnel-url>
<portal>xxxxxxxxx Gateway-N</portal>
<user>xxxxxxxxxx</user>
<lifetime>2592000</lifetime>
<timeout>10800</timeout>
<disconnect-on-idle>10800</disconnect-on-idle>
<bw-c2s>1000</bw-c2s>
<bw-s2c>1000</bw-s2c>
<gw-address>144.xxx.xxx.xxx</gw-address>
<ip-address>192.168.253.26</ip-address>
<netmask>255.255.255.255</netmask>
<ip-address-preferred>yes</ip-address-preferred>
<dns>
<member>192.168.0.17</member>
<member>192.168.0.18</member>
</dns>
<wins>
</wins>
<dns-suffix>
<member>xxxxxxxxxx.local</member>
</dns-suffix>
<default-gateway>192.168.253.26</default-gateway>
<mtu>0</mtu>
<no-direct-access-to-local-network>no</no-direct-access-to-local-network>
<access-routes>
<member>192.168.0.0/24</member>
<member>192.168.0.17/32</member>
<member>192.168.0.18/32</member>
</access-routes>
<exclude-access-routes>
</exclude-access-routes>
<ipsec>
<udp-port>4501</udp-port>
<ipsec-mode>esp-tunnel</ipsec-mode>
<enc-algo>aes-256-gcm</enc-algo>
<hmac-algo>sha1</hmac-algo>
(T13212) 01/12/22 08:51:51:118 Debug(2731): There is no connected-gw-ip
(T13212) 01/12/22 08:51:51:118 Debug(4404): In SetGatewayRoute: The original route table:
(T13212) 01/12/22 08:51:51:118 Debug( 138): Destination NetMask Gateway Inf Metric
(T13212) 01/12/22 08:51:51:118 Debug( 153): 0.0.0.0 0.0.0.0 192.168.86.1 11 35
(T13212) 01/12/22 08:51:51:118 Debug( 153): 127.0.0.0 255.0.0.0 127.0.0.1 1 331
(T13212) 01/12/22 08:51:51:118 Debug( 153): 127.0.0.1 255.255.255.255 127.0.0.1 1 331
(T13212) 01/12/22 08:51:51:118 Debug( 153): 127.255.255.255 255.255.255.255 127.0.0.1 1 331
(T13212) 01/12/22 08:51:51:118 Debug( 153): 192.168.86.0 255.255.255.0 192.168.86.53 11 291
(T13212) 01/12/22 08:51:51:118 Debug( 153): 192.168.86.53 255.255.255.255 192.168.86.53 11 291
(T13212) 01/12/22 08:51:51:118 Debug( 153): 192.168.86.255 255.255.255.255 192.168.86.53 11 291
(T13212) 01/12/22 08:51:51:118 Debug( 153): 224.0.0.0 240.0.0.0 127.0.0.1 1 331
(T13212) 01/12/22 08:51:51:118 Debug( 153): 224.0.0.0 240.0.0.0 192.168.86.53 11 291
(T13212) 01/12/22 08:51:51:118 Debug( 153): 255.255.255.255 255.255.255.255 127.0.0.1 1 331
(T13212) 01/12/22 08:51:51:118 Debug( 153): 255.255.255.255 255.255.255.255 192.168.86.53 11 291
(T13212) 01/12/22 08:51:51:118 Debug(4414): SetGatewayRoute: GetBestRoute() returns Dest:0.0.0.0 Mask:0.0.0.0 if_index=11 metric1=35
(T13212) 01/12/22 08:51:51:118 Debug(4436): Created gateway route (144.xxx.xxx.xxx) succeeds
(T13212) 01/12/22 08:51:51:118 Debug( 271): Ipv6-connection is NULL
(T13212) 01/12/22 08:51:51:118 Debug( 318): gw-address-v6 is not specified
(T13212) 01/12/22 08:51:51:118 Debug( 324): remoteHostV6 is not specified
(T13212) 01/12/22 08:51:51:118 Debug( 349): ip-address-preferred value is yes
(T13212) 01/12/22 08:51:51:118 Debug( 374): ip-address-v6-preferred not found.
(T13212) 01/12/22 08:51:51:118 Debug(9707): Set preferred IP 192.168.253.26 for gateway 144.xxx.xxx.xxx user xxxxxxxxx
(T13212) 01/12/22 08:51:51:118 Debug(9716): Set preferred IPv6 for gateway 144.xxx.xxx.xxx user xxxxxxxxx
(T13212) 01/12/22 08:51:51:118 Debug( 514): DLSA, found no-direct-access-to-local-network tag, b_IsDLSASet set to false
(T13212) 01/12/22 08:51:51:118 Debug( 757): Encryption method is aes-256-gcm
(T13212) 01/12/22 08:51:51:118 Debug(3233): set driver connected as true
(T13212) 01/12/22 08:51:51:118 Debug( 594): use-ssl-only-tunnel is not configured and user cannnot change
(T13212) 01/12/22 08:51:51:118 Debug( 147): VPN idle timeout is 10800; config timeout is 10800
(T13212) 01/12/22 08:51:51:118 Debug( 70): c2s-spi is 0x40FDCF92, s2c-spi is 0xFDB3FD9C
(T13212) 01/12/22 08:51:51:118 Debug( 189): EnforceDns is enabled, set 2 GP pushed DNS servers
(T13212) 01/12/22 08:51:51:118 Debug( 164): Trying to do ipsec connection to 144.xxx.xxx.xxx[4501]
(T13212) 01/12/22 08:51:51:128 Debug( 550): Network is reachable
(T13212) 01/12/22 08:51:51:128 Info ( 176): Connected to: 144.xxx.xxx.xxx[4501], Sending keep alive to ipsec socket...
(T13212) 01/12/22 08:51:51:148 Info ( 214): Connected ipsec to 144.xxx.xxx.xxx(4501)
(T13212) 01/12/22 08:51:51:148 Info ( 329): tunnel to 144.xxx.xxx.xxx connected
(T13212) 01/12/22 08:51:51:288 Debug( 349): PsvRegister done
(T13212) 01/12/22 08:51:51:288 Debug( 25): create thread 0x4d0 with thread ID 1628
(T1628) 01/12/22 08:51:51:288 Debug( 398): VpnProcMonitor thread starts
(T1628) 01/12/22 08:51:51:288 Debug( 25): create thread 0x680 with thread ID 4752
(T4752) 01/12/22 08:51:51:288 Debug( 409): VpnProcDrv thread starts
(T13212) 01/12/22 08:51:51:298 Debug(1610): Get original UseDomainNameDevolution value 1
(T13212) 01/12/22 08:51:51:298 Debug(1636): Get original DNS SearchList value xxxxxxxxx.local,lan
(T13212) 01/12/22 08:51:51:298 Debug(1657): searchList: xxxxxxxxx.local
(T13212) 01/12/22 08:51:51:298 Debug(1657): searchList: lan
(T13212) 01/12/22 08:51:51:298 Error(1566): InstallClientConfig: Failed to find PANGP virtual adapter interface
(T6000) 01/12/22 08:51:51:298 Debug(2349): Setting debug level to 5
(T13212) 01/12/22 08:51:51:308 Error( 343): InstallClientConfig() failed
(T13212) 01/12/22 08:51:51:308 Error( 248): ProcMonitor: SetupNetwork() failed
(T1628) 01/12/22 08:51:51:308 Info ( 471): PktProcess: VPN disconnect event, get out of ProcMonitor
(T1628) 01/12/22 08:51:51:308 Debug( 544): Tunnel downtime is 16 miliseconds
(T4752) 01/12/22 08:51:51:308 Info ( 832): ProDrv: VPN disconnect event, get out of ProcDrv
(T4752) 01/12/22 08:51:51:308 Info ( 858): ProcDrv thread dies
(T1628) 01/12/22 08:51:51:308 Info ( 805): ProcDrv quit
(T1628) 01/12/22 08:51:51:308 Info ( 791): ProcMonitor thread dies
(T13212) 01/12/22 08:51:51:418 Debug( 293): do_disconnect is called in VPN stop
(T13212) 01/12/22 08:51:51:418 Debug( 227): IPSec anti-replay statistics: outside window count 0, replay count 0
(T13212) 01/12/22 08:51:51:418 Debug( 229): Disconnect udp socket
(T13212) 01/12/22 08:51:51:418 Debug( 505): unset network
(T13212) 01/12/22 08:51:51:418 Debug( 764): PreviousDNSInfo doesn't exist, no need to restore
(T13212) 01/12/22 08:51:51:418 Info ( 528): not call uninstallClientConfig, netSetup=000001EC5ADABDB0, clientConfig=000001EC5B9AE6F0, panMSService=000001EC5ADD25C0, panMSService->IsConfigInstalled()=0
(T13212) 01/12/22 08:51:51:418 Debug( 615): ipsec failed to start
(T13212) 01/12/22 08:51:51:418 Info ( 87): VPN is deleted
(T13212) 01/12/22 08:51:51:418 Debug( 147): VPN idle timeout is 10800; config timeout is 10800
(T13212) 01/12/22 08:51:51:418 Debug( 189): EnforceDns is enabled, set 2 GP pushed DNS servers
(T13212) 01/12/22 08:51:51:418 Debug( 62): Trying to do SSL connection to 144.xxx.xxx.xxx(443)
(T13212) 01/12/22 08:51:51:418 Debug( 777): SSL connecting to 144.xxx.xxx.xxx
(T13212) 01/12/22 08:51:51:428 Debug( 550): Network is reachable
(T13212) 01/12/22 08:51:51:498 Debug(1242): Failed to X509_LOOKUP_load_file
(T13212) 01/12/22 08:51:51:498 Debug( 363): Open_SSL_connection: subject '/CN=vpn.xxxxxxxxxx.com'
(T13212) 01/12/22 08:51:51:498 Debug( 367): Open_SSL_connection: issuer '/C=US/O=DigiCert Inc/CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1'
(T13212) 01/12/22 08:51:51:518 Info ( 110): Connected ssl tunnel to 144.xxx.xxx.xxx(443)
(T13212) 01/12/22 08:51:51:518 Info ( 329): tunnel to 144.xxx.xxx.xxx connected
(T13212) 01/12/22 08:51:51:588 Debug( 349): PsvRegister done
(T13212) 01/12/22 08:51:51:588 Debug( 25): create thread 0x60c with thread ID 9064
(T9064) 01/12/22 08:51:51:588 Debug( 398): VpnProcMonitor thread starts
(T9064) 01/12/22 08:51:51:588 Debug( 25): create thread 0x794 with thread ID 10648
(T10648) 01/12/22 08:51:51:588 Debug( 409): VpnProcDrv thread starts
(T13212) 01/12/22 08:51:51:598 Debug(1610): Get original UseDomainNameDevolution value 1
(T13212) 01/12/22 08:51:51:598 Debug(1636): Get original DNS SearchList value xxxxxxxxxx.local,lan
(T13212) 01/12/22 08:51:51:598 Debug(1657): searchList: xxxxxxxxxx.local
(T13212) 01/12/22 08:51:51:598 Debug(1657): searchList: lan
(T13212) 01/12/22 08:51:51:598 Error(1566): InstallClientConfig: Failed to find PANGP virtual adapter interface
(T13212) 01/12/22 08:51:51:598 Error( 343): InstallClientConfig() failed
(T13212) 01/12/22 08:51:51:598 Error( 248): ProcMonitor: SetupNetwork() failed
(T9064) 01/12/22 08:51:51:598 Info ( 471): PktProcess: VPN disconnect event, get out of ProcMonitor
(T9064) 01/12/22 08:51:51:598 Debug( 544): Tunnel downtime is 0 miliseconds
(T10648) 01/12/22 08:51:51:598 Info ( 832): ProDrv: VPN disconnect event, get out of ProcDrv
(T10648) 01/12/22 08:51:51:598 Info ( 858): ProcDrv thread dies
(T9064) 01/12/22 08:51:51:598 Info ( 805): ProcDrv quit
(T9064) 01/12/22 08:51:51:598 Info ( 791): ProcMonitor thread dies
(T13212) 01/12/22 08:51:51:718 Debug( 293): do_disconnect is called in VPN stop
(T13212) 01/12/22 08:51:51:718 Debug(1318): OpenSSL alert write⚠️close notify
(T13212) 01/12/22 08:51:51:718 Debug( 505): unset network
(T13212) 01/12/22 08:51:51:718 Debug( 764): PreviousDNSInfo doesn't exist, no need to restore
(T13212) 01/12/22 08:51:51:718 Info ( 528): not call uninstallClientConfig, netSetup=000001EC5ADABDB0, clientConfig=000001EC5B9AE6F0, panMSService=000001EC5ADD25C0, panMSService->IsConfigInstalled()=0
(T13212) 01/12/22 08:51:51:718 Error( 666): sslvpn failed to start
(T13212) 01/12/22 08:51:51:718 Info ( 87): VPN is deleted
(T13212) 01/12/22 08:51:51:718 Error(2448): CreateTunnel: SetConfig() failed
(T13212) 01/12/22 08:51:51:718 Debug(5894): UnsetGatewayRoutes: DeleteIpForwardEntry(144.xxx.xxx.xxx)
(T13212) 01/12/22 08:51:51:718 Debug(5942): --Set state to Connection failed
(T13212) 01/12/22 08:51:51:718 Debug( 914): Display hip report V4 on the UI
(T13212) 01/12/22 08:51:51:718 Debug(2463): VPN tunnel is not connected.
(T13212) 01/12/22 08:51:51:718 Debug(2465): returns FALSE.
(T13212) 01/12/22 08:51:51:718 Debug(2518): failed to create tunnel with gateway vpn.xxxxxxxxxx.com
(T13212) 01/12/22 08:51:51:718 Info (2236): logout: user=xxxxxxx, portal=xxxxxxxx Gateway-N, gateway=vpn.xxxxxxxxx.com, domain=xxxxxxxx, computerName=T9009
(T13212) 01/12/22 08:51:51:718 Debug(2268): Logout parameter is
(T13212) 01/12/22 08:51:51:728 Debug( 777): SSL connecting to 144.xxx.xxx.xxx
(T13212) 01/12/22 08:51:51:728 Debug( 550): Network is reachable
(T13212) 01/12/22 08:51:51:768 Debug(3974): SSL verify succeed
(T13212) 01/12/22 08:51:51:858 Debug(1318): OpenSSL alert write⚠️close notify
(T13212) 01/12/22 08:51:51:858 Debug(2314): Logged out gateway vpn.xxxxxxxxxxx.com
(T13212) 01/12/22 08:51:51:858 Debug(2536): tunnel to vpn.xxxxxxxxx.com is not created.
(T13212) 01/12/22 08:51:51:858 Error(4937): NetworkDiscoverThread: failed to discover external network.
(T13212) 01/12/22 08:51:51:858 Debug(4939): local system error, set error as VPN connection could not be established. Please restart your computer to try again.
(T13212) 01/12/22 08:51:51:858 Debug(5942): --Set state to Disconnected
(T6000) 01/12/22 08:51:51:858 Debug(2349): Setting debug level to 5
(T13212) 01/12/22 08:51:51:858 Debug( 914): Display hip report V4 on the UI
(T13212) 01/12/22 08:51:51:858 Debug(4989): NetworkDiscoverThread: PortalStatus is 2, HasLoggedOnGateway is 1
(T13212) 01/12/22 08:51:51:858 Debug(5005): Network discovery is not ready, set GP VPN status as disconnected
(T13212) 01/12/22 08:51:51:858 Debug(9914): SetVpnStatus called with new status=0, Previous Status=0
(T13212) 01/12/22 08:51:51:858 Debug(4116): UpdatePrelogonStateForSSO() - User-logon tunnel state = Disconnected
(T13212) 01/12/22 08:51:51:858 Debug(5024): local system error, need user action or wait 30 minutes to re-do network discovery
(T3556) 01/12/22 08:52:04:223 Debug( 139): Got hip report in other process ready event.
(T3556) 01/12/22 08:52:04:223 Debug( 158): Read output from PanGpHip.exe
(T3556) 01/12/22 08:52:04:223 Debug( 195): write hip file now
(T3556) 01/12/22 08:52:04:223 Debug( 221): CheckHipInOtherProcess() sets hip report ready event.
(T3556) 01/12/22 08:52:04:223 Debug( 135): Wait for the ready event of hip report generated in other process.
(T2544) 01/12/22 08:52:04:223 Debug(5160): HipReportThread: got HIP report ready event.
(T2544) 01/12/22 08:52:04:223 Debug(5176): HipReportThread: wait for network discover ready event.
(T3556) 01/12/22 08:52:05:403 Debug( 143): Got event for PanGpHip process has quited.
(T3556) 01/12/22 08:52:05:403 Debug( 338): CheckHip over
(T3556) 01/12/22 08:52:05:403 Debug( 282): Hip checking is not initiated by clicking resubmit host profile.
(T3556) 01/12/22 08:52:05:403 Debug( 216): HipCheckThread: wait for hip check event for 3600000 ms);
(T13844) 01/12/22 08:52:09:818 Debug( 334): PanGpHipMp.exe exit for checking misssing patches.
(T13844) 01/12/22 08:52:09:818 Debug( 396): CheckHipMissingPatchInOtherProcess(): exits.
(T13844) 01/12/22 08:52:09:818 Debug( 474): Hip missing patch checking duration is 19

Every time I try to post the log, the post disappears. Any ideas?

Hi 

 

As @BPry  has advised there is many issues with the installation of the GP client on windows 7, without the logs I too am unable to assist with any analysis ( I have no idea unfortunately why they keep disappearing from here ) if you have the licenses for it I would suggest that you could possibly clientless VPN for users that are running such legacy operating systems.

PCCSA PCNSA PCNSE PCSAE

Community Team Member

Hi@Jason.T ,

 

Your posts got marked as spam by the spam crawler.  I've cleared them an are now visible.

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

This looks suspiciously like permissions issues when installing the PAN-GP adaptor 

 

T13212) 01/12/22 08:51:51:598 Error(1566): InstallClientConfig: Failed to find PANGP virtual adapter interface
(T13212) 01/12/22 08:51:51:598 Error( 343): InstallClientConfig() failed
(T13212) 01/12/22 08:51:51:598 Error( 248): ProcMonitor: SetupNetwork() failed
(T9064) 01/12/22 08:51:51:598 Info ( 471): PktProcess: VPN disconnect event, get out of ProcMonitor

 

Is the user a local admin or have admin privileges ?

 

It may not be the issue but worth looking at for a start.

PCCSA PCNSA PCNSE PCSAE

L2 Linker

For some reason our RMM software was reporting it as Windows 7, but it turns out it's actually Windows 10 sorry. The router is handing out version 5.0.10-3 of the client software.

Removed GlobalProtect, logged in as a local admin and ran the MSI from an elevated command prompt. The PANGP adapter appears in network connections and is enabled but I still can't connect.

Cyber Elite
Cyber Elite

@Jason.T,

Why are you still handing out 5.0.10? That major version of GlobalProtect (5.0) is almost a year past EoL. I highly recommend validating and pushing out 5.1.8 or 5.2.9 to all of your endpoints instead of continuing to push out 5.0.10. Your logs are definitely point towards an issue with the network adapter, since it's just on this one machine it could be a local conflict with something else the user has installed. Do you deploy a standard image to users within this environment? 

On this machine, I would go out and download the MSI for either of the supported versions listed about and use that on this machine just to see if a current agent installation actually connects okay. 

We inherited this site off someone else and that's the state it was in when we got it. I'll try a newer version.

It looks like they let all the licensing lapse on the router. I don't have the option to upgrade the version there. Does anyone know somewhere I can download a newer installer?

Cyber Elite
Cyber Elite

@Jason.T,

I'm not sure if the actual client installation files can directly be shared to someone without violating licensing agreements. I would think they can since it's not a agent bundle file or anything loaded directly on the firewall as a package, but atlas I'm not positive if that's the case.

So I'll let one of my sister state agencies do it for me: https://vpn.wisc.edu/clients/ 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!