About JakeHarris

Community,   First off, I'm looking for ideas on what could possibly be causing a situation we are experiencing.  This is an issue with Always On Mode, using SAML authentication (built in browser, no default browser), in an Internal Host Detection state.  We are not having any issues with a remote user at all, only when the user moves from remote to an office.   Global Protect works well normally for internal host detection (no internal gateways).  We have a full FQDN DNS recursive lookup configured that works well.  However on occasion we will experience a user (usually 1-3 per week) that come into the office (after working on Always on VPN for several days) and can not connect to our internal network.  GP gives a connection error and because of traffic policy enforcement they can not connect to anything.  3 things are occurring at the point.  1. Client CAN nslookup the FQDN used for internal host detection, again this works from a command prompt, 2) Client can not communicate on the network, 3) Global Protect does not attempt internal host detection again.   The fix has been to move the client to a public guest network, restart the PAN GPS service and connect the user to the Portal/Gateway.  Once this is done, we switch the user back to the production internal network, internal host detection is working again.  Note: simply rebooting the laptop does not fix it, restarting PAN GPS service alone does not fix it.   We have clients running 5.2.9 and 5.2.12 that are experiencing this issue (Yes I have a ticket open, but not seeing much progress).  We were asked to set the user saving option in our portal config from "Save Username Only" to "No".  After doing this, almost every client in this test group began experiencing this issue, and several now experience the issue on every reboot or refresh connection.     Any help would be appreciated!   Looking through pangps.log we see a few errors, which ends up in turning on the enforcer, without a network discovery: (P17196-T12160)Error( 480): 06/09/22 14:46:41:944 CPanHTTPSession::PostRequest: WinHttpReceiveResponse failed with error code 12152. (P17196-T12160)Debug(1182): 06/09/22 14:46:41:944 PostRequest error code=12152(The server returned an invalid or unrecognized response) (P17196-T12160)Debug(7301): 06/09/22 14:46:41:944 prelogin to portal result is (null) (P17196-T12160)Debug(7603): 06/09/22 14:46:41:944 Failed to pre-login to the portal vpn.mycorp.com with return value 12152(The server returned an invalid or unrecognized response). (P17196-T12160)Debug(8461): 06/09/22 14:46:41:944 Failed to get portal config from portal vpn.mycorp.com. (P17196-T12160)Debug(8503): 06/09/22 14:46:41:944 Try to restore last portal config from file. (P17196-T12160)Debug(8554): 06/09/22 14:46:41:944 Skip retrieve cached portal configuration for empty user (P17196-T12160)Debug(8481): 06/09/22 14:46:41:944 portal status is Invalid portal. (P17196-T12160)Debug(7095): 06/09/22 14:46:41:944 --Set state to Disconnected (P17196-T7972)Debug(2530): 06/09/22 14:46:41:944 Setting debug level to 5 (P17196-T12160)Debug(1927): 06/09/22 14:46:41:944 unknown network type. (P17196-T12160)Debug(1898): 06/09/22 14:46:41:960 Send response to client for request portal (P17196-T7660)Debug( 845): 06/09/22 14:47:01:278 enforcer exception: call SPSetParameters to set 2 IPs   ... View more

We're testing upgrading to version 2.5.x and have run into a few changes with the new features.   We enabled "Use Default Browser for SAML Authentication", because you know ie, is going away.  After doing this, each time our end user authenticates, they receive an "Authentication Complete" Page, with a cryptic message about opening Global Protect and a link that doesn't work.  It comes from https://<VPNGatewayFQDN>/SAML20/SP/ACS   I've searched through documentation and can't seem to find anything about it, nor is it present as a response page you can customize.   Ideally we'd prefer the old behavior, close the browser window / tab that was used for the SAML authentication, but minimally, we need to reword this page so it doesn't confuse users.. Maybe use it as a banner.   This is not the "Global Protect App Welcome Page", that feature is disabled.   Any help would really be appreciated. ... View more

We received a report of some connectivity issues with an IPSEC tunnel between a Palo 5220 (9.1.8) and Azure VNG   Looking at this deeper, we see an odd rekey pattern happening with the IPSEC Rekey.  Every 4th rekey is a non-rekey and occurs short.  Can anyone help us understand what could possibly be causing this?  Its happening only on Azure VPN tunnels (multiple).   In the detail log of this rekey we see this:  Note: the first message, this is only seen on a short rekey (non-rekey) { 3: }: test-vpn-azure: IKEv2 SA test initiate start. { 3: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey; gateway test-vpn-azure <==== ====> Initiated SA: x.x.x.x[500]-x.x.x.x[500] SPI:c8d0792b57f54007:0000000000000000 SN:1382 <==== { 3: }: x.x.x.x[500] - x.x.x.x[500]:0x7f80364df7d0 ignoring notification payload (type NAT_DETECTION_SOURCE_IP) inside unauthenticated response { 3: }: x.x.x.x[500] - x.x.x.x[500]:0x7f80364df7d0 ignoring notification payload (type NAT_DETECTION_DESTINATION_IP) inside unauthenticated response { 3: }: x.x.x.x[500] - x.x.x.x[500]:0x7f80364df7d0 vendor id payload ignored { 3: }: x.x.x.x[500] - x.x.x.x[500]:0x7f80364df7d0 vendor id payload ignored { 3: }: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS INITIATOR, non-rekey; gateway test-vpn-azure <==== ====> Initiated SA: x.x.x.x[500]-x.x.x.x[500] message id:0x00000000 parent SN:1382 <==== { 3: }: x.x.x.x[500] - x.x.x.x[500]:0x7f8020018720 authentication result: success { 3: 42}: SADB_UPDATE proto=255 x.x.x.x[500]=>x.x.x.x[500] ESP tunl spi 0x9683CEAB auth=NON-AUTH enc=AES256-GCM16/36 lifetime soft 22932/0 hard 27000/0 { 3: 42}: SADB_ADD proto=255 x.x.x.x[500]=>x.x.x.x[500] ESP tunl spi 0x2CE69680 auth=NON-AUTH enc=AES256-GCM16/36 lifetime soft 22161/0 hard 27000/0 { 3: 42}: ====> IPSEC KEY INSTALLATION SUCCEEDED; tunnel test-vpn-azure <==== ====> Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0x9683CEAB/0x2CE69680 lifetime 27000 Sec lifesize unlimited <==== { 3: 42}: ====> IKEv2 CHILD SA NEGOTIATION SUCCEEDED AS INITIATOR, non-rekey; tunnel test-vpn-azure <==== ====> Established SA: x.x.x.x[500]-x.x.x.x[500] message id:0x00000001, SPI:0x9683CEAB/0x2CE69680 parent SN:1382 <==== { 3: }: ====> IKEv2 IKE SA NEGOTIATION SUCCEEDED AS INITIATOR, non-rekey; gateway test-vpn-azure <==== ====> Established SA: x.x.x.x[500]-x.x.x.x[500] SPI:c8d0792b57f54007:0a2d7efeeb1193e1 SN:1382 lifetime 28800 Sec <==== { 3: }: === reauth: SA 1363 is to be replaced === { 3: 42}: child SA has been replaced by 5748235 { 3: 42}: child SA has been replaced, skip { 3: }: child SA state EXPIRED, skip { 3: }: no more child SA to be renegotiated { 3: }: remove duplicate IKE SA, sn 1363 { 3: }: received DELETE payload, protocol ESP, num of SPI: 1 IKE SA state ESTABLISHED { 3: }: delete proto ESP spi 0x6EE318D4 { 3: 42}: ====> IPSEC KEY DELETED; tunnel test-vpn-azure <==== ====> Deleted SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xCD0C0EC3/0x6EE318D4 <==== { 3: 42}: SADB_DELETE proto=255 src=x.x.x.x[0] dst=x.x.x.x[0] ESP spi=0xCD0C0EC3 { 3: 42}: SPI 9683CEAB inserted by IKE-SA rekey, return 0 0. { 3: 42}: SPI CD0C0EC3 removed by IKE SA delete, return 0 0. { 3: }: received DELETE payload, gateway test-vpn-azure SA state ESTABLISHED, SPI fdbd7849a0b8df4c:f1ddca2cbbb7576c { 3: }: x.x.x.x[500] - x.x.x.x[500]:(nil) closing IKEv2 SA test-vpn-azure:1363, code 7   Time since rekey Log time subtype tunnelname message 06:37:48 4/2/2021 19:59 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0x81034CD1/0x926E541E lifetime 27000 Sec lifesize unlimited. 06:18:54 4/3/2021 2:18 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xCD0C0EC3/0x6EE318D4 lifetime 27000 Sec lifesize unlimited. 00:54:26 4/3/2021 3:12 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0x9683CEAB/0x2CE69680 lifetime 27000 Sec lifesize unlimited. 06:09:19 4/3/2021 9:22 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xCF69DCCE/0xB5BEF37C lifetime 27000 Sec lifesize unlimited. 06:26:33 4/3/2021 15:48 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0x932AE983/0x934683A0 lifetime 27000 Sec lifesize unlimited. 06:01:12 4/3/2021 21:49 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xDA550800/0xD174AA42 lifetime 27000 Sec lifesize unlimited. 01:53:24 4/3/2021 23:43 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xB91F7B2C/0xC19A9436 lifetime 27000 Sec lifesize unlimited. 06:29:24 4/4/2021 6:12 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xD4FD6806/0x0F125AE4 lifetime 27000 Sec lifesize unlimited. 06:42:09 4/4/2021 12:55 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xDA33BD67/0xEF69E2C0 lifetime 27000 Sec lifesize unlimited. 06:43:57 4/4/2021 19:38 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xAA2F1596/0xD55198EE lifetime 27000 Sec lifesize unlimited. 00:45:09 4/4/2021 20:24 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xCD989A2B/0xCD6926FC lifetime 27000 Sec lifesize unlimited. 06:21:45 4/5/2021 2:45 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0x9E19B31B/0xE4A767CE lifetime 27000 Sec lifesize unlimited. 06:32:15 4/5/2021 9:18 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0x926F8224/0xD2BC38B4 lifetime 27000 Sec lifesize unlimited. 06:29:51 4/5/2021 15:47 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0x85C728D3/0xC1B881B6 lifetime 27000 Sec lifesize unlimited. 00:57:18 4/5/2021 16:45 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xF749CCFC/0x5AEE5E60 lifetime 27000 Sec lifesize unlimited. 06:29:33 4/5/2021 23:14 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xDBAADBE9/0x786C75AE lifetime 27000 Sec lifesize unlimited. 06:07:57 4/6/2021 5:22 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xFE0969C4/0xE5AF7E2E lifetime 27000 Sec lifesize unlimited. 06:17:06 4/6/2021 11:39 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xFCAC5175/0xE067D15C lifetime 27000 Sec lifesize unlimited. 01:36:26 4/6/2021 13:16 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xB3725065/0x83C35C10 lifetime 27000 Sec lifesize unlimited. 06:21:01 4/6/2021 19:37 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0x96A719F1/0x5633637E lifetime 27000 Sec lifesize unlimited. 06:26:33 4/7/2021 2:03 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xF6124B6D/0xD2B1BEF8 lifetime 27000 Sec lifesize unlimited. 06:08:50 4/7/2021 8:12 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xDDE237D5/0x9907DC8E lifetime 27000 Sec lifesize unlimited. 01:32:25 4/7/2021 9:45 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xDD8D0279/0x204E5CC0 lifetime 27000 Sec lifesize unlimited. 06:44:41 4/7/2021 16:29 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xEA6222A8/0x5CFC83CE lifetime 27000 Sec lifesize unlimited. 06:37:04 4/7/2021 23:06 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xAAB91393/0x51355638 lifetime 27000 Sec lifesize unlimited. 06:37:12 4/8/2021 5:44 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xB315DCDF/0x5E3ED9A8 lifetime 27000 Sec lifesize unlimited. 00:32:32 4/8/2021 6:16 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0x86E54C0C/0xB4E6AB98 lifetime 27000 Sec lifesize unlimited. 06:33:46 4/8/2021 12:50 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xDBC676F4/0xB78D532C lifetime 27000 Sec lifesize unlimited. 06:27:27 4/8/2021 19:17 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xE2035E0B/0x13C40192 lifetime 27000 Sec lifesize unlimited. 06:34:12 4/9/2021 1:52 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xDC4328BB/0x5E4B110C lifetime 27000 Sec lifesize unlimited. 00:34:57 4/9/2021 2:26 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0xA3148E6C/0x88754888 lifetime 27000 Sec lifesize unlimited. 06:41:41 4/9/2021 9:08 ipsec-key-install Test-VPN-Azure IPSec key installed. Installed SA: x.x.x.x[500]-x.x.x.x[500] SPI:0x8A0888AC/0x6740FE62 lifetime 27000 Sec lifesize unlimited. ... View more

After installing and connecting to Global Protect, FW policy logs are showing large amounts of UDP 137 getting blocking from Global Protect clients going to many random Public IP's.  Any idea what would cause this?  Public IP's have been MS, AWS, Google owned. ... View more