We recently started using Smart Deploy to image computers, and capture/deploy user profile data. I am having an issue that is hit or miss with each user profile that is migrated to the newly imaged computer using Smart Deploy (utilizes USMT). Smart Deploy leaves the default MIG.user, MIG.docs, and MIG.apps as is with the scan state and load state. I have the Application settings unchecked (Basically leaving out the MIG.apps).
The base imaged computer before data is transferred and after data is transferred will work with any other user attempting to connect to the VPN portal address, but the user whose data was transferred to that PC is unable to connect to the primary VPN portal address BUT is able to connect to the secondary VPN portal address. A quick note about the secondary is that users within our division never use the secondary or attempt to connect to it, only the primary. I have cleared out the computer and user certificates on the old machine, uninstalled Global Protect, deleted global protect files/folders, and ran a registry application to repair any issues. I also manually installed the VPN certificates on the new machine with no luck.
I then tried to capture the data again and redeploy it to the machine (after putting a new image on it again) and get the same error. Any help/ideas would be appreciated, thank you!
"The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect."
Did you do pcap on the firewall portal 1 to see if the client reaches the portal also did you check for drop pcap or global counters (you can see https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-r... )? Also check the Globalprotect logs on Firewall portal GUI or the HIP match logs.
You may also check if there is an issue between the AAA server and the Palo Alto firewall as mentioned in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBufCAG&lang=en_US%E2%80%A... . As it is just this user maybe not but maybe the AAA server does not return in time a reply.
Outside of that also collect logs from the PANGPS service on the computer https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS
My final thought is as you migrated all the data maybe things that shouldn't have been migrated have been like the globalprotect cookies or system info that the portal collects for HIP checks, so to clear the connection on the globalprotect agent and if it does not helpreinstall VPN agent on the computer. As the tool you use for migration maybe is nor migrating all the req keys for example, the issue may not be with Palo Alto, so also check with the tool vendor. Usefull links:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!