[rank_math_breadcrumb]

GlobalProtect agent fails to connect and shows “Invalid portal” after user login

Posted by

Symptom

When configuring the GlobalProtect connect method to “User-logon (Always On),” the agent is set to automatically connect to the portal after a user logs in.

However, instead of establishing a successful connection, the agent displays an “Invalid portal” error.

Environment

In environments where endpoints experience an initial delay in connecting to the network, the agent is unable to connect to the portal.

For example, in the below snapshot, the ping command results in a “General Failure,” and the network adapter icon on the taskbar indicates no internet connection.

Even after network connectivity is established, the agent remains in a “Not Connected” state and does not attempt to connect to the portal. The following snapshot shows that ping responses are being received, and the network adapter icon on the taskbar indicates an internet connection.

When the user clicks on the “Connect” option, they are prompted to enter a username and password to connect to the portal.

Cause

This behavior occurs because the network is unavailable when the agent attempts to connect to the portal. Simultaneously, the agent attempts to use cached portal configuration but fails due to an empty user field. As a result, the portal status is set to “Invalid portal,” and the state is set to “Disconnected,” preventing further connection attempts.

The sample PanGPS.log from GlobalProtect agent logs highlights this issue:

vbnetCopy code(T4332) 12/18/19 12:14:01:278 Debug(5765): ----Portal Pre-login starts----
(T4332) 12/18/19 12:14:01:278 Debug(4114): TriggerCaptivePortalDetection()  return due to captive portal detection is in progress (0) or PreLogin is Done (1) 
(T4332) 12/18/19 12:14:01:294 Debug(5786): Network is not available
(T4332) 12/18/19 12:14:01:294 Debug(6916): Failed to get portal config from portal 172.16.59.1.
(T4332) 12/18/19 12:14:01:294 Debug(6944): Try to restore last portal config from file.
(T4332) 12/18/19 12:14:01:294 Debug(6986): Skip retrieve cached portal configuration for empty user
(T4332) 12/18/19 12:14:01:294 Debug(6936): portal status is Invalid portal.
(T4332) 12/18/19 12:14:01:294 Debug(5720): --Set state to Disconnected

Snapshot3 from the Environment section also shows an empty username and password field.

Upon reviewing the portal configuration, it is evident that the “Save User Credential” option is set to ‘No’:

Resolution

To avoid this issue while using the “User-logon (Always On)” connect method, ensure that the “Save User Credential” option is set to either ‘Yes’ or “Save Username Only”:

![User-added image]

In cases where there is an initial delay in the endpoint connecting to the network, the agent will not set the state to “Invalid portal” and will continue using the cached portal configuration:

vbnetCopy code(T4332) 12/18/19 12:29:09:449 Debug(5765): ----Portal Pre-login starts----
(T4332) 12/18/19 12:29:09:449 Debug(4114): TriggerCaptivePortalDetection()  return due to captive portal detection is in progress (0) or PreLogin is Done (1) 
(T4332) 12/18/19 12:29:09:465 Debug(5786): Network is not available
(T4332) 12/18/19 12:29:09:715 Debug(6936): portal status is Using cached portal config.

As long as there is no network connectivity to the endpoint, the agent will remain in a connecting state:

Once network connectivity is restored, the agent will make a successful connection without any user intervention:

Conclusion

By configuring the “Save User Credential” option appropriately, you can ensure that the GlobalProtect agent maintains a connection even when there are initial delays in network connectivity, thereby preventing the “Invalid portal” error and ensuring seamless user logon experiences

[the-post-grid id=”9538″ title=””]

Leave a Reply

Your email address will not be published. Required fields are marked *

Visit Our Store and Buy All document (F5, Zscaler, ASA, Paloalto, Checkpoint,Forescout, Cisco ISE etc) only in  1600RS, click here on store - Store

X
error: Content is protected !!