What happens if my GlobalProtect's gateway route is removed?

What happens if my GlobalProtect's gateway route is removed?

15819
Created On 04/14/20 19:48 PM - Last Modified 04/16/20 22:36 PM


Question
What happens if my Gateway route is removed from my GlobalProtect endpoint?

Environment
  • PAN-OS 9.0
  • GlobalProtect Agent
  • Palo Alto Networks Physical/Virtual Firewall


Answer
If the gateway route is removed from your GlobalProtect endpoint, the following will occur:

1. The Agent will await the expiration of keepalive timeout values before terminating the tunnel.

Example logs from PanGPS
(T4656)Info (1019): 04/14/20 10:26:28:499 --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel
(T4656)Debug(1022): 04/14/20 10:26:28:499 Tunnel downtime after keep-alive timeout is 51375 ms
(T4656)Info ( 531): 04/14/20 10:26:28:499 VPN timeout due to keepalive, get out of ProcMonitor
(T4656)Debug( 541): 04/14/20 10:26:28:499 In timeout handling, tunnel downtime is 51375 miliseconds
(T4656)Debug(5315): 04/14/20 10:26:28:499 Show Gateway ext-gw: Checking network availability and restoring VPN connection when network is available.

 
2. Next, the Agent will remove the existing Gateway route information from the routing table.

Example logs from PanGPS
(T4656)Debug( 512): 04/14/20 10:26:28:499 unset network
(T4656)Debug(2568): 04/14/20 10:26:28:499 UnsetRoutes(): RestoreDefaultRoutes.
(T4656)Debug(2574): 04/14/20 10:26:28:499 Unset 1 routes
(T4656)Debug(2594): 04/14/20 10:26:28:499 UnsetRoutes: DeleteIpForwardEntry[0] (0.0.0.0)
(T4656)Debug(6041): 04/14/20 10:26:28:499 UnsetGatewayRoutes: DeleteIpForwardEntry(172.16.0.1)
(T4656)Info (4621): 04/14/20 10:26:28:499 RemoveGatewayInRouteTable(vnicIdx=15)
(T4656)Info (4669): 04/14/20 10:26:28:499 delete 1 ip forward entry: 10.100.100.10
(T4656)Info (4669): 04/14/20 10:26:28:499 delete 2 ip forward entry: 224.0.0.0
(T4656)Info (4669): 04/14/20 10:26:28:499 delete 3 ip forward entry: 255.255.255.255
(T4656)Debug(2533): 04/14/20 10:26:28:499 UnsetRoutesV6: No route installed before


 
3. After modifying the routing table, the Agent will disable the PanGP virtual network interface on the endpoint and reattempt Gateway connectivity via IPSec (if configured.)

Example logs from PanGPS
(T4656)Debug(1347): 04/14/20 10:26:28:499 Disconnect virtual interface
(T1992)Debug(5695): 04/14/20 10:26:28:718 NetworkConnectionMonitorThread: route change detected. Wait for 3 seconds.
(T1992)Debug(4694): 04/14/20 10:26:28:718 No need to check gateway route since no tunnel.
(T4656)Debug( 779): 04/14/20 10:26:28:781 PreviousDNSInfo doesn't exist, no need to restore
(T4656)Debug(5579): 04/14/20 10:26:28:781 DLSA, savedMetric1Routes not present, do not need to restore
(T4656)Debug(4976): 04/14/20 10:26:28:781 Proxy is not disabled before, no need to restore
(T4656)Debug( 779): 04/14/20 10:26:28:796 PreviousDNSInfo doesn't exist, no need to restore
(T4656)Debug(1778): 04/14/20 10:26:28:796 UnsetDNSSuffixSearchOrder returns 0
(T4656)Debug(1783): 04/14/20 10:26:28:812 UnsetDNSServerSearchOrder returns 84
(T4656)Debug(1785): 04/14/20 10:26:28:827 UnsetWINSServer returns 84
(T4656)Debug(10259): 04/14/20 10:26:28:827 SetVpnStatus called with new status=0, Previous Status=1
(T4656)Debug(4028): 04/14/20 10:26:28:827 UpdatePrelogonStateForSSO() - User-logon tunnel state = Disconnected
(T4656)Debug( 550): 04/14/20 10:26:28:827 Network is reachable
(T4656)Debug( 163): 04/14/20 10:26:28:827 Trying to do ipsec connection to 172.16.0.1[4501]
(T4656)Debug( 550): 04/14/20 10:26:28:843 Network is reachable
(T4656)Info ( 175): 04/14/20 10:26:28:843 Connected to: 172.16.0.1[4501], Sending keep alive to ipsec socket...
(T1992)Debug(5756): 04/14/20 10:26:31:749 NetworkConnectionMonitorThread: m_state = 0, m_bOnDemand=0, m_bAgentEnabled=1, m_bJustResumed is 0,
 m_bHibernate is 0, m_bAgentEnabled is 1, m_bDisconnect is 0, IsConnected() is 0, IsVPNInRetry() is 1.
(T1992)Debug(4694): 04/14/20 10:26:31:749 No need to check gateway route since no tunnel.
(T1992)Debug(5764): 04/14/20 10:26:31:749 Set retry network check event in retry mode
(T1992)Debug(5773): 04/14/20 10:26:31:749 NetworkConnectionMonitorThread: Detected route change, but skip network discovery.
(T4656)Info ( 218): 04/14/20 10:26:34:859 failed to receive keep alive
(T4656)Debug( 227): 04/14/20 10:26:34:859 Disconnect udp socket 
(T4656)Info ( 321): 04/14/20 10:26:34:859 Connecting to 172.16.0.1 failed
(T4656)Debug( 647): 04/14/20 10:26:34:859 Retry connect failed first time


 
4. This process will loop until either the existing Gateway address responds, or the configuration is modified to reflect a responding address and Agent is restarted.


Additional Information
For additional information regarding the full configuration of GlobalProtect, please refer to the following documents
GlobalProtect Admin Guide
GlobalProtect Resource List


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPcICAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments