How to detect when Global Protect client fails to establish IPSec VPN tunnel with the GP Gateway

• NGFW
• Any PANOS
• GlobalProtect Gateway IPSec Tunnel

If one wants to monitor when GlobalProtect clients fail to form IPSec tunnel and have ability to historically track down such conditions, it can be done using one of the two options explained below.

The first option is to go to Network > GlobalProtect > Gateway, then click on Remote Users. Look for the "Tunnel Type" column to identify the connection protocol.

Alternatively, when the client connects to the Gateway via SSL, firewall generates the following entry in System Log:

2016/04/19 12:41:13 info     globalp GP-Gat globalp 0  GlobalProtect gateway client switch to SSL tunnel mode succeeded. User name: client2, Private IP: 10.225.18.2.

So the second option is to monitor the system logs for specific entries that indicate an SSL VPN was established instead of an IPSec VPN.

Furthermore, if rasmgr process is set to debug level (debug rasmgr on debug) the following lines are generated in rasmgr.log file when client forms IPSec tunnel:

2016-04-19 12:43:11.127 +0200 debug: sslvpn_tunnel_install_esp(src/rasmgr_sslvpn.c:2738): Installing GW Tunnel, indicate to keymgr

2016-04-19 12:43:23.129 +0200 debug: rasmgr_sslvpn_refresh(src/rasmgr_sslvpn.c:1901): portal GP-Gateway-N, user client2

When client falls back to SSL VPN tunnel, the following lines are generated in rasmgr.log file:

2016-04-19 12:41:13.472 +0200 debug: rasmgr_sysd_update_obj(src/rasmgr_sysd_if.c:1099): change tunnel.ssl.cmd.msg

2016-04-19 12:41:24.262 +0200 debug: rasmgr_sslvpn_refresh(src/rasmgr_sslvpn.c:1901): portal GP-Gateway-N, user client2

• If IPSec is enabled on the Gateway it has precedence over SSL tunnel
• There is no IKE negotiation as IPSec parameters are exchanged within SSL control session
• Client will try IPSec connection on port 4501 first (UDP encapsulated ESP packet)
• If there is no response from the gateway (traffic filtered?), client is falling back to SSL