Palo Alto Networks Knowledgebase: Tips & Tricks: GlobalProtect IPv6 Troubleshooting Part 2 LSVPN

Tips & Tricks: GlobalProtect IPv6 Troubleshooting Part 2 LSVPN

1632
Created On 02/08/19 00:00 AM - Last Updated 02/08/19 00:00 AM
Resolution

Over the last couple of months, my Tips & Tricks have been about GlobalProtect IPv6 and troubleshooting.
In case you missed those, here are the links:
Tips & Tricks: How to configure GlobalProtect and IPv6
Tips & Tricks: GlobalProtect IPv6 Troubleshooting (T is for...)

But there was a lot of information that I left out about LSVPN, which is why I am now bringing you Part 2 of the GlobalProtect IPv6 Troubleshooting - LSVPN.

 

Inside this troubleshooting article, I will discuss the following areas:

  1. LSVPN gateway: Current Satellite (WebGUI)
  2. LSVPN satellite: Gateway info (WebGUI)
  3. LSVPN portal/gateway: System Log (WebGUI)
  4. LSVPN portal/gateway: System Log (CLI)
  5. LSVPN satellite: System Log (WebGUI)
  6. LSVPN satellite: System Log (CLI)
  7. LSVPN gateway: Gateway info (CLI)
  8. LSVPN gateway: Current satellites (CLI)
  9. LSVPN gateway: Tunnel info (CLI)
  10. LSVPN satellite: local info (CLI)
  11. LSVPN satellite: Current gateway (CLI)
  12. LSVPN satellite: Tunnel info (CLI)

 

 

1. LSVPN gateway: Current Satellite (WebGUI)

 We will start off with looking at the current GlobalProtect Satellite. Inside of the WebGUI > Network > GlobalProtect > Gateways, you will see the GlobalProtect gateways listed, click on "Satellite Info" to get the pop-up window to show the active Satellite information. The window will say "GlobalProtect Gateway Status", but inside the pop-up window, it will show both the status of Active and Inactive Satellites, Satellite name, public IP, Tunnel IP, route sharing info as well as an option to log them out with a "Logout" icon. This is great because it can show you a lot of great information aboute which Satellites are connected as well as the Inactive Satellites in one place.

 

gp-lsvpn-ipv6-1.png


2. LSVPN satellite: Gateway info (WebGUI)

 A second place to get more information is inside the Gateway Info.  This is found inside Network > IPSec Tunnels, where you will see the IPSec Tunnels listed. Under the IKE Gateway/Satellite  - Status area, look for "Gateway Info." Click that to get the GlobalProtect Satellite Configuration and RunTime Status window. Here you can see a lot of great information, GlobalProtect Satellite info, GlobalProtect Portal info as well as Satellite status.

 

The GlobalProtect Satellite information includes the Name, Interface, Tunnel Interface Local IP (IPv4) and Local IPv6 information. The GlobalProtect Portal area will show you the Address, the Connected IP and Status. You will have an option to "refresh portal config" if there have been any portal changes that you want to take affect. Also, it will list out the Satellite status, with the Gateway, Status, Priority, Gateway Address and Tunnel Monitor information.  Again, a lot of great information here.

gp-lsvpn-ipv6-2.png

 
3. LSVPN portal/gateway: System Log (WebGUI)

Next place to look for information is going to be inside the System Logs.  These are located inswide Monitor > Logs > System. In order to get information just about GlobalProtect, click on one of the "Type" entry and change it to "( subtype eq globalprotect )" for GlobalProtect or "( subtype eq sslmgr )" to get more information about the Satellites. It might be easier to have both to get the most information here. Here it should show any failures as well as successful connections.

gp-lsvpn-ipv6-3.png

 

4. LSVPN portal/gateway: System Log (CLI)

To get detailed information about the LSVPN portal/gateway via the CLI, you will need to type in the following command: 

 

> show log system object equal LSVPN direction equal backward


Time Severity Subtype Object EventID ID Description
===============================================================================
2016/10/05 13:14:21 info globalp LSVPN- globalp 0 GlobalProtect Site to Site Gateway tunnel is up. Remote Satellite 10.193.122.63 2000:1000::63 with serial number: 007099000008767 connected successfully to Gateway on local interface: tunnel.1

2016/10/05 13:14:21 info globalp LSVPN- globalp 0 GlobalProtect gateway satellite authentication succeeded. Login from: 2000:1000::63, Satellite device: 007099000008767.

2016/10/05 13:14:11 info globalp LSVPN- globalp 0 GlobalProtect portal satellite configuration generated. Login from: 2000:1000::63, Satellite device: 007099000008767, Config name: LSVPN-config-1.

2016/10/05 13:14:11 info globalp LSVPN- globalp 0 GlobalProtect portal satellite certificate success. Login from: 2000:1000::63, Satellite device: 007099000008767.

2016/10/05 13:14:11 info globalp LSVPN- globalp 0 GlobalProtect portal satellite authentication succeeded. Login from: 2000:1000::63, Satellite device: 007099000008767, config: LSVPN-config-1.


5. LSVPN satellite: System Log (WebGUI)

Back inside the Monitor > Logs > System, use  "( subtype eq satd )" to see information just about the LSVPN Satellite information. This shows the connect status.

gp-lsvpn-ipv6-4.png


6. LSVPN satellite: System Log (CLI)

Inside the CLI,  to see just the LSVPN satellite information, use the following command:

 

> show log system object equal satd direction equal backward

 

Time Severity Subtype Object EventID ID Description
===============================================================================
2016/10/05 13:14:21 info satd tunnel satd-tu 0 Satellite on interface:tunnel.64 (assigned IP: 10.100.0.10 1000:1000:0:0:0:0:0:10) connected successfully to remote Gateway 2000:1000::64

2016/10/05 13:14:21 info satd LSVPN- satd-ga 0 GlobalProtect Satellite connection to gateway started.Satellite trying to reconnect to Gateway 2000:1000::64 2000:1000::64.

2016/10/05 13:14:10 info satd LSVPN- satd-po 0 GlobalProtect Satellite connection to portal started.Satellite trying to reconnect to Portal 2000:1000::64.


7. LSVPN gateway: Gateway info (CLI)

Inside the CLI, if you would like more information about the LSVPN Gateway, you can use the following command to provide detailed information about Interfaces, IPv4 and IPv6 address, IP Pool ranges IPv4 and IPv6 as well as Access Routes:

 

> show global-protect-gateway gateway

 

gp-lsvpn-ipv6-5.png

 


8. LSVPN gateway: Current satellites (CLI)

To get more information about the LSVPN current satellites, you can use the following command to see detailed information on both public and private IPv4 and IPv6 info:

 

> show global-protect-gateway current-satellite

 

gp-lsvpn-ipv6-6.png

 

 

Notes: Tunnel interface has both IPv4 and IPv6 addresses - both families can be tunneled.
The tunnel is established with the IPv6 addresses (outermost headers)


9. LSVPN gateway: Tunnel info (CLI)

Another good command to know about is the command:

> show global-protect-gateway flow-site-to-site

This command will show the site to site flow, gateway info, local interface ip and tunnel info.

 

Then to drill down more, you can get details on the LSVPN gateway with the command:

> show global-protect-gateway flow-site-to-site name LSVPN-GW-1-S tunnel LSVPN-GW-1-S

 

gp-lsvpn-ipv6-7.png

Notes: Gateways are indexed by the FQDN or the IPv4 address!
Does not mean that the tunnel is established on the IPv4 address.

 

10. LSVPN satellite: local info (CLI)

Sometimes you need to drill down and get more detailed information about the satellite. The following command shows you these details:

 

> show global-protect-satellite satellite

 

gp-lsvpn-ipv6-8.png

Note: IPv6 connection to the gateway is not preferred; however, no IPv4 gateway address is configured on the portal.
The satellite connects to the IPv6 gateway address.

 

<command continued>

gp-lsvpn-ipv6-9.png


11. LSVPN satellite: Current gateway (CLI)

In order to see more of the config on the current gateway, use the following command:

 

> show global-protect-satellite current-gateway

 

 

gp-lsvpn-ipv6-10.png

gp-lsvpn-ipv6-11.png


12. LSVPN satellite: Tunnel info (CLI)

To see flow and specific details about the GlobalProtect Satellite  tunnels, use the following commands:

 

> show global-protect-gateway flow-site-to-site

 

Then drill down even more with the command:

 

 

> show global-protect-gateway flow-site-to-site tunnel-id 1

 

gp-lsvpn-ipv6-12.png

 

Note:
The following command:

> show global-protect-gateway flow-site-to-site tunnel-id 1

has the same output as

> show running tunnel flow tunnel-id 1

 

This concludes GlobalProtect IPv6 LSVPN troubleshooting.  I hope that you have learned something from this and that it will help when troubleshooting this topic.

 

As always, we welcome all feedback and comments below. 

 

Stay Secure! 

Joe Delio

 

See also

For even more troubleshooting for GlobalProtect, please view:

Troubleshooting GlobalProtect

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWTCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language