Palo Alto Networks Knowledgebase: GlobalProtect Portal Error: 'Failed to retrieve info for gateway', 'tunnel to x.x.x.x is not created'

GlobalProtect Portal Error: 'Failed to retrieve info for gateway', 'tunnel to x.x.x.x is not created'

9187
Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM
Resolution

Issue

When configuring a GlobalProtect Portal, a tunnel interface needs to be used. Configuring GlobalProtect Portal with no tunnel interface will result in the following error:

  • Failed to retrieve info for gateway x.x.x.x
  • Tunnel to x.x.x.x is not created

Symptoms

(T1484) 07/06/12 14:40:39:729 Info (9766): Gateway: 192.168.53.1, client IP: 192.168.53.2

(T1484) 07/06/12 14:40:39:729 Debug(3707): Set 0 sorted gateway 192.168.53.1. Duration: 15ms

(T1484) 07/06/12 14:40:39:729 Debug(3710): disconnect ssl.

(T1484) 07/06/12 14:40:39:729 Debug(3713): Gateway 192.168.53.1's response time is 15 ms.

(T1484) 07/06/12 14:40:39:729 Debug(3717): returns 1.

(T1484) 07/06/12 14:40:39:729 Debug(4398): ProcessExternalGatewayThread: gateway 192.168.53.1 has been processed. Duration is 0xF(15)

(T1484) 07/06/12 14:40:39:729 Debug(4400): ProcessExternalGatewayThread: Set measure end event for gateway 192.168.53.1

(T2424) 07/06/12 14:40:39:729 Debug(4190): Got hMesureEndEvent

(T2424) 07/06/12 14:40:39:729 Debug(4208): Outside the wait loop. bTunnelCreated is 0

(T2424) 07/06/12 14:40:39:729 Info (9298): CPanMSService::PickGatewayBaseOnWeight, PAN_NEW_GATEWAY_SELECTOR, chose prefered gateway index =0

(T2424) 07/06/12 14:40:39:729 Debug(4323): retrieve info of gateway 192.168.53.1

(T2424) 07/06/12 14:40:39:729 Debug(3401): CPanMSService::SetProxyForHost: fAutoDetect: 0 url: proxy: bypass: url:https://192.168.53.1/ returned proxystr:

(T2424) 07/06/12 14:40:39:729 Debug(4505): CPanMSService::RetrieveGatewayInfo, cert is 00000000

(T2424) 07/06/12 14:40:39:729 Debug(4507): Pre-login...

(T2424) 07/06/12 14:40:39:729 Debug( 142): active session id is 3

(T2424) 07/06/12 14:40:39:729 Error( 208): OpenProcessToken failed 6(T2424) 07/06/12 14:40:39:729 Debug(5072): PrepareRequest...

(T2424) 07/06/12 14:40:39:729 Debug(5080): WinHttpOpenRequest...

(T2424) 07/06/12 14:40:39:729 Debug( 392): CPanHTTPSession::PostRequest: WinHttpSendRequest...

(T2424) 07/06/12 14:40:39:823 Debug(4609): Failed to pre-login to the gateway 192.168.53.1

(T2424) 07/06/12 14:40:39:823 Error(4364): Failed to retrieve info for gateway 192.168.53.1.

(T2424) 07/06/12 14:40:39:823 Debug(4374): tunnel to 192.168.53.1 is not created.

Resolution

Configure tunnel interface under Network > GlobalProtect > Gateways for access to the gateway.

  • Create a tunnel interface bound to a virtual router and assigned it to a security zone. The default tunnel interface can also be used.
  • In the tunnel gateway address section, select the particular firewall egress interface address from drop down. Specific IP address on which GlobalProtect portal web service is going to run will be filled in automatically once the interface is selected.

8-9-2012 1-29-25 PM.png

Note:

  • Tunnel Interface allows you to give client IP address, you can also give the tunnel a separate zone in order to enforce a different security policy on the global protect users versus the inside LAN users. It even allows you to configure access routes to define networks that will be accessible by the Client through the tunnel.
  • For mobile devices like Appleā€™s iOS enable X-Auth to establish IPSec tunnel to the gateway.

owner: bsyeda



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clu6CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language