Phase 1: Troubleshooting GlobalProtect Connection Issues
When facing issues with the GlobalProtect agent failing to connect and displaying an “Invalid portal” message, follow these steps to diagnose and resolve the problem:
Check ISP-Related Issues
- Ping the Peer IP:
- Use the PA external interface to ping the peer IP.
- Ensure pings are enabled on the peer’s external interface.
- If pings are blocked due to security policies, verify if the peer responds to main/aggressive mode messages or DPDs (Dead Peer Detection).
- System Logs:
- Check the system logs under the Monitor tab or the
ikemgr
logs for responses to “Are you there?” messages.
Verify Configuration Settings
- IKE Identity:
- Ensure the IKE identity is correctly configured.
- Policy Configuration:
- Ensure a policy is in place to permit IKE and IPSec applications.
- If a clean-up rule is configured, the policy should typically be from the external zone to the external zone.
- Proposals and Preshared Key:
- Verify that proposals are correct. Check for mismatches in the system logs or by using the CLI command:
> less mp-log ikemgr.log
- Ensure the preshared key is correct. Mismatches can be identified in the system logs or with the same CLI command.
- Packet Captures:
- Take packet captures to analyze traffic. Use filters to narrow the scope of captured traffic.
Useful CLI Commands
- Show and Test IKE-SA:
> show vpn ike-sa gateway <name>
> test vpn ike-sa gateway <name>
- Debug IKE Status:
> debug ike stat
Advanced CLI Commands
- Enable Detailed Logging:
> debug ike global on debug
> less mp-log ikemgr.log
- Capture Negotiation Packets:
> debug ike pcap on
> view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap
- Disable Debugs:
> debug ike pcap off
> debug ike global off
Additional Checks
- NAT-T (Network Address Translation-Traversal):
- Verify if NAT-T is enabled. Packets should be on port 4500 instead of 500 from the 5th and 6th messages of the main mode.
- Vendor ID Compatibility:
- Ensure the vendor ID of the peer is supported on the Palo Alto Networks device and vice versa.
Phase 2: Troubleshooting VPN Tunnel Negotiation
Verify Tunnel Negotiation
- Unidirectional SPIs:
- Check if the firewalls are negotiating the tunnels, ensuring that two unidirectional SPIs exist:
> show vpn ipsec-sa > show vpn ipsec-sa tunnel <tunnel.name>
- Proposals and PFS:
- Ensure proposals are correct. Mismatches can be found under the system logs or with:
> less mp-log ikemgr.log
- Verify if Perfect Forward Secrecy (PFS) is enabled on both ends. Logs about mismatches can be found similarly.
- Proxy-ID Configuration:
- Check the proxy-ID configuration, especially when the peer is from another vendor. A mismatch would be indicated in the system logs or by using:
> less mp-log ikemgr.log
Useful CLI Commands
- Show VPN Flow:
> show vpn flow name <tunnel.id/tunnel.name>
> show vpn flow name <tunnel.id/tunnel.name> | match bytes
- Encapsulation and Decapsulation:
- Ensure encapsulation and decapsulation bytes are increasing. If encapsulation bytes increase but decapsulation is constant, the firewall is sending but not receiving packets.
- Conversely, if decapsulation bytes increase but encapsulation is constant, the firewall is receiving but not transmitting packets.
- Routing and Policy Checks:
> test routing fib-lookup virtual-router default ip <destination IP>
> show routing route
> test vpn ipsec-sa tunnel <name>
Advanced CLI Commands
- Enable and Capture Detailed Logs:
> debug ike global on debug
> less mp-log ikemgr.log
> debug ike pcap on
> view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap
- Disable Debugs:
> debug ike pcap off
> debug ike global off
Resolving Traffic Issues in Established Tunnels
- Security Policy and Routing:
- Check security policies and routing configurations.
- Upstream Devices:
- Verify if any upstream devices are performing port-and-address translations, which might drop ESP packets due to the lack of port numbers.
- Debug and Packet Captures:
- Apply debug packet filters and captures to isolate where traffic is being dropped.
troubleshoot and resolve GlobalProtect connection issues and ensure VPN tunnel stability.
Leave a Reply