How to Troubleshoot GlobalProtect Clientless VPN

How to Troubleshoot GlobalProtect Clientless VPN

42291
Created On 04/20/20 23:39 PM - Last Modified 04/15/21 22:40 PM


Objective
This article is designed to enable customer's to collect data on Clientless VPN related issues and provide TAC with data points 
 


Environment
GlobalProtect Clientless VPN Portal

Procedure

This article will detail how to collect data for Connectivity issues and Rewrite related issues.



A. Connectivity Issues


B. Rewrite Issues



===============================
 

A. Connectivity Issues


When we say Connectivity issues, it includes:
- Clientless VPN portal login page not loading on the browser
- Clientless applications not loading at all once launched
- Launching Clientless applications redirects back to the Clientless VPN portal login page

The possible cause of these issues could be:
- Clientless VPN portal configuration on the firewall has IP address as hostname but the portal itself is accessed using FQDN. They should match
- No route to the application on the firewall
- Misconfigured security policy for the application traffic on the firewall
- Misconfigured DNS-proxy object or DNS resolutions fail on the firewall

If the above steps are verified and confirmed that the configuration looks good, please follow below steps to collect the data and upload them to the case for TAC review:
 

Example Scenario:

Clientless VPN portal IP: 1.1.1.1
Client IP: 2.2.2.2
Application IP: 10.1.0.120

----------------------------------------------------------------------------------------------------------------------------------------------

1. Please log the CLI session

2. Set the below filters and capture stages for firewall packet captures

> show clock
> debug dataplane packet-diag set filter match source 2.2.2.2 destination 1.1.1.1
> debug dataplane packet-diag set filter match source 2.2.2.2 destination 10.1.0.120
> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set filter on
> debug dataplane packet-diag set log feature flow basic
> debug dataplane packet-diag set log feature proxy all
> debug dataplane packet-diag show setting

admin@PA-220> debug dataplane packet-diag show setting
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
  Enabled:                   yes
  Match pre-parsed packet:   no            
  Index 1: 2.2.2.2/32[0]->1.1.1.1/32[0], proto 0
           ingress-interface any, egress-interface any, exclude non-IP
  Index 2: 2.2.2.2/32[0]->10.1.0.120/32[0], proto 0
           ingress-interface any, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
  Enabled:                   no
  Log-throttle:              no
  Sync-log-by-ticks:         yes            
  Features:
    flow    : basic 
    proxy   : basic timer detail 
  Counters:
--------------------------------------------------------------------------------
Packet capture
  Enabled:                   no
  Snaplen:                   0
  Username:                              
  Stage receive           :  file rx.pcap
    Captured:     packets - 0          bytes - 0           
    Maximum:      packets - 0          bytes - 0           
  Stage firewall          :  file fw.pcap
    Captured:     packets - 0          bytes - 0           
    Maximum:      packets - 0          bytes - 0           
  Stage transmit          :  file tx.pcap
    Captured:     packets - 0          bytes - 0           
    Maximum:      packets - 0          bytes - 0           
  Stage drop              :  file dp.pcap
    Captured:     packets - 0          bytes - 0           
    Maximum:      packets - 0          bytes - 0           
--------------------------------------------------------------------------------

 

3. Enable dataplane debug logs and captures on the firewall

> debug dataplane packet-diag set capture on
> debug dataplane packet-diag set log on
> debug dataplane packet-diag show setting
> show clock

 

4. Reproduce the issue and run below commands

> show session all filter source 2.2.2.2
> show session id <ID>    
[for all sessions created]

> show counter global filter delta yes packet-filter yes  [run it couple of times]

 

5. Once it is reproduced, stop dataplane debug logs and packet captures on the firewall

> debug dataplane packet-diag set capture off
> debug dataplane packet-diag set log off
> debug dataplane packet-diag show setting
> show clock

 

6. After about 30 seconds, run the below command to aggregate debug logs on the firewall

> debug dataplane packet-diag aggregate-logs [run it twice]

 

7. Please collect below files and upload them to the case

- Firewall packet captures: rx.pcap, tx.pcap, dp.pcap, fw.pcap
- Logged CLI session
- Fresh Tech Support file (containing dataplane debug logs)



===============================


B. Rewrite Issues:

When we say Rewrite issues, it means most of the Clientless applications load properly but some Clientless applications fail to display certain elements of the page or some buttons/hyperlinks fail to respond. 


In this case, we would need to collect the below information:
- Firewall packet captures (clientless-vpn-client and clientless-vpn-server), FiddlerCap captures and browser console logs when the user accesses the problematic application THROUGH the portal. This is the non-working scenario
- FiddlerCap captures and browser console logs from the user's machine when the user accesses the application DIRECTLY, not through the portal. This is the working scenario


Please follow below steps to collect the data and upload them to the case for TAC review:

Example Scenario:

Clientless VPN portal IP: 1.1.1.1
Client IP: 5.5.5.5
Application IP: 10.1.0.120

Note: For macOS/iPad/iOS devices, point the traffic towards a web proxy server and enable FiddlerCap captures on the server
----------------------------------------------------------------------------------------------------------------------------------------------

1. Please log the CLI session and record zoom session as well

2. Following steps would be for capturing data for non-working scenario where 
the user accesses the problematic application THROUGH the portal

a. 
Please have the test user log into the Clientless VPN portal in order to run the below command to get the correct username format. It will be used to capture packets for this particular user on the firewall

> show global-protect-portal current-user filter-user all-users
GlobalProtect Portal              : GPClientlessPortal
Vsys-Id                           : 1
User                              : paloaltonetworks.com\johndoe        <<<<<
Session-id                        : 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0
Client-IP                         : 5.5.5.5
Session start time                : Mon Apr 20 10:32:35 2020
Inactivity Timeout                : 1800
Seconds before inactivity timeout : 1789
Login Lifetime                    : 10800
Seconds before login lifetime     : 10789
Size of cookie cache              : 0
Source Region                     : Germany



Note: Here are a few pointers to keep in mind before using username filter for Clientless VPN captures:

  • The username pointed out in the output of the command: show global-protect-portal current-user filter-user all-users and the username in the output of the command: show user ip-user-mapping all type GP-CLIENTLESSVPN should match as the username filter is case-sensitive.
  • A mismatch will not generate any Clientless VPN captures


> show user ip-user-mapping all type GP-CLIENTLESSVPN

IP                      Vsys        From     User                 IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- -------   --------------------------------    -------------- -------------
5.5.5.5                    vsys1       GP-CLIENTLESSVPN paloaltonetworks.com\johndoe <<<<<    10797    10797   
Total: 1 users

 

  • There should be no username associated with the destination IP address; it should be unknown as shown below. Otherwise, Clientless VPN captures will not be generated due to destination username
> show session id 3136988
Session         3136988
        c2s flow:
                source:      5.5.5.5 [Clientless_VPN]
                dst:         10.1.0.120
                proto:       6
                sport:       15715           dport:      443
                state:       INIT            type:       FLOW
                src user:    paloaltonetworks.com\johndoe
                dst user:    unknown                 <<<<<<<<<<
        s2c flow:
                source:      10.1.0.120 [Inside]
                dst:         10.1.2.214
                proto:       6
                sport:       443             dport:      15715
                state:       INIT            type:       FLOW
                src user:    unknown                  <<<<<<<<<<
                dst user:    paloaltonetworks.com\johndoe

 

  • There should be no IP filters set as well. It should be purely based on username filter to capture Clientless VPN captures


b. Set the below filters and capture stages for firewall packet captures

Note: Since the filter would be set by the username, IP address filters would not be required in this case

> show clock
> show system setting ssl-decrypt memory
> show system setting ssl-decrypt dns-cache
> show system setting ssl-decrypt gp-cookie-cache
> show system setting ssl-decrypt rewrite-stats
> debug dataplane packet-diag set capture username {use the username that logs to Clientless VPN portal}
> debug dataplane packet-diag set capture stage clientless-vpn-client file client.pcap
> debug dataplane packet-diag set capture stage clientless-vpn-server file server.pcap
> debug dataplane packet-diag set filter on
> debug dataplane packet-diag show setting

admin@PA-220> debug dataplane packet-diag show setting
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
  Enabled:                   yes
  Match pre-parsed packet:   no            
--------------------------------------------------------------------------------
Logging
  Enabled:                   no
  Log-throttle:              no
  Sync-log-by-ticks:         yes            
  Features:
  Counters:
--------------------------------------------------------------------------------
Packet capture
  Enabled:                   no
  Snaplen:                   0
  Username:                  paloaltonetworks.com\johndoe            
  Stage clientless-vpn-client:  file client.pcap
    Captured:     packets - 0          bytes - 0           
    Maximum:      packets - 0          bytes - 0           
  Stage clientless-vpn-server:  file server.pcap
    Captured:     packets - 0          bytes - 0           
    Maximum:      packets - 0          bytes - 0           
--------------------------------------------------------------------------------

c. Please have the test user log out of the Clientless VPN portal

d. Enable captures on the firewall


> debug dataplane packet-diag set capture on
> debug dataplane packet-diag show setting
> show clock


Note: Please be aware that firewall packet captures would contain clear-text (unencrypted) communication between the browser and the firewall and the firewall and application

e. Open the developer tool on the browser and open console tab to see any javascript errors


f. Please have the test user log into the Clientless VPN portal and then, enable FiddlerCap captures as per the article FiddlerCap 


g. Navigate to the application exhibiting the issue and then, run below commands on the firewall's CLI

> show session all filter source <Client-IP>
> show session id <ID>   
[for all sessions created]
> show counter global filter delta yes packet-filter yes  [run this couple of times]



h. Once the issue is reproduced, stop packet captures on the firewall

> debug dataplane packet-diag set capture off
> debug dataplane packet-diag show setting
> show clock
> show system setting ssl-decrypt memory
> show system setting ssl-decrypt dns-cache
> show system setting ssl-decrypt gp-cookie-cache
> show system setting ssl-decrypt rewrite-stats

 

3. Please collect the FiddlerCap captures and browser console logs for working scenario when the user accesses the application DIRECTLY, not through the portal as per the article FiddlerCap 

Note: Please be aware that FiddlerCap can collect cleartext traffic, and all user credentials (usernames/passwords) exchanged during the time of the capture, will be visible in the collected data. These packet captures contain clear-text (unencrypted) communication between the browser and the firewall, and between the firewall and the application. It is recommended to use test credentials if logging into the problematic application is needed

 

4. Stop the zoom recording and collect the below files and upload them to the case

- Firewall packet captures: clientless-vpn-client.pcap, clientless-vpn-server.pcap
- Logged CLI session
- Fresh Tech Support file
- Browser console logs (working and non-working scenarios)
- FiddlerCaps (working and non-working scenarios)
- Zoom video recording


Additional Information
-- Prathyusha Basamsetty (PBasamsetty)

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPizCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language