How to Troubleshoot GlobalProtect Clientless VPN
Objective
This article is designed to enable customer's to collect data on Clientless VPN related issues and provide TAC with data points
Environment
GlobalProtect Clientless VPN Portal
Procedure
This article will detail how to collect data for Connectivity issues and Rewrite related issues.
A. Connectivity Issues
B. Rewrite Issues
===============================
A. Connectivity Issues
When we say Connectivity issues, it includes:
- Clientless VPN portal login page not loading on the browser
- Clientless applications not loading at all once launched
- Launching Clientless applications redirects back to the Clientless VPN portal login page
The possible cause of these issues could be:
- Clientless VPN portal configuration on the firewall has IP address as hostname but the portal itself is accessed using FQDN. They should match
- No route to the application on the firewall
- Misconfigured security policy for the application traffic on the firewall
- Misconfigured DNS-proxy object or DNS resolutions fail on the firewall
If the above steps are verified and confirmed that the configuration looks good, please follow below steps to collect the data and upload them to the case for TAC review:
Example Scenario:
Clientless VPN portal IP: 1.1.1.1
Client IP: 2.2.2.2
Application IP: 10.1.0.120
----------------------------------------------------------------------------------------------------------------------------------------------
1. Please log the CLI session
2. Set the below filters and capture stages for firewall packet captures
> show clock
> debug dataplane packet-diag set filter match source 2.2.2.2 destination 1.1.1.1
> debug dataplane packet-diag set filter match source 2.2.2.2 destination 10.1.0.120
> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set filter on
> debug dataplane packet-diag set log feature flow basic
> debug dataplane packet-diag set log feature proxy all
> debug dataplane packet-diag show setting
admin@PA-220> debug dataplane packet-diag show setting
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: no
Index 1: 2.2.2.2/32[0]->1.1.1.1/32[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
Index 2: 2.2.2.2/32[0]->10.1.0.120/32[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
flow : basic
proxy : basic timer detail
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: no
Snaplen: 0
Username:
Stage receive : file rx.pcap
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage firewall : file fw.pcap
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage transmit : file tx.pcap
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage drop : file dp.pcap
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
--------------------------------------------------------------------------------
3. Enable dataplane debug logs and captures on the firewall
> debug dataplane packet-diag set capture on
> debug dataplane packet-diag set log on
> debug dataplane packet-diag show setting
> show clock
4. Reproduce the issue and run below commands
> show session all filter source 2.2.2.2
> show session id <ID> [for all sessions created]
> show counter global filter delta yes packet-filter yes [run it couple of times]
5. Once it is reproduced, stop dataplane debug logs and packet captures on the firewall
> debug dataplane packet-diag set capture off
> debug dataplane packet-diag set log off
> debug dataplane packet-diag show setting
> show clock
6. After about 30 seconds, run the below command to aggregate debug logs on the firewall
> debug dataplane packet-diag aggregate-logs [run it twice]
7. Please collect below files and upload them to the case
- Firewall packet captures: rx.pcap, tx.pcap, dp.pcap, fw.pcap
- Logged CLI session
- Fresh Tech Support file (containing dataplane debug logs)
===============================
When we say Rewrite issues, it means most of the Clientless applications load properly but some Clientless applications fail to display certain elements of the page or some buttons/hyperlinks fail to respond.
In this case, we would need to collect the below information:
- Firewall packet captures (clientless-vpn-client and clientless-vpn-server), Fiddler capture and browser logs (Developer Tools > Network tab and Developer Tools > Console tab) for the problematic application access THROUGH the Clientless VPN portal. This is the non-working scenario
- Fiddler capture and browser logs (Developer Tools > Network tab and Developer Tools > Console tab) for the same application accessed DIRECTLY, not through the Clientless VPN portal. This is the working scenario
Please follow below steps to collect the data and upload them to the case for TAC review:
Example Scenario:
Clientless VPN portal IP: 1.1.1.1
Client IP: 5.5.5.5
Application IP: 10.1.0.120
Note: For macOS/iPad/iOS devices, please follow the steps in the knowledge base below:
How to collect Fiddler PCAP for iOS Devices [Clientless VPN]
----------------------------------------------------------------------------------------------------------------------------------------------
1. Please log the CLI session and record zoom session as well
2. Following steps would be for capturing data for non-working scenario where the user accesses the problematic application THROUGH the portal
a. Please have the test user log into the Clientless VPN portal in order to run the below command to get the correct username format. It will be used to capture packets for this particular user on the firewall
> show global-protect-portal current-user filter-user all-users
GlobalProtect Portal : GPClientlessPortal
Vsys-Id : 1
User : paloaltonetworks.com\johndoe <<<<<
Session-id : 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0
Client-IP : 5.5.5.5
Session start time : Mon Apr 20 10:32:35 2020
Inactivity Timeout : 1800
Seconds before inactivity timeout : 1789
Login Lifetime : 10800
Seconds before login lifetime : 10789
Size of cookie cache : 0
Source Region : Germany
Note: Here are a few pointers to keep in mind before using username filter for Clientless VPN captures:
- The username pointed out in the output of the command: show global-protect-portal current-user filter-user all-users and the username in the output of the command: show user ip-user-mapping all type GP-CLIENTLESSVPN should match as the username filter is case-sensitive.
- A mismatch will not generate any Clientless VPN captures
> show user ip-user-mapping all type GP-CLIENTLESSVPN
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
5.5.5.5 vsys1 GP-CLIENTLESSVPN paloaltonetworks.com\johndoe <<<<< 10797 10797
Total: 1 users
- There should be no username associated with the destination IP address; it should be unknown as shown below. Otherwise, Clientless VPN captures will not be generated due to destination username
> show session id 3136988
Session 3136988
c2s flow:
source: 5.5.5.5 [Clientless_VPN]
dst: 10.1.0.120
proto: 6
sport: 15715 dport: 443
state: INIT type: FLOW
src user: paloaltonetworks.com\johndoe
dst user: unknown <<<<<<<<<<
s2c flow:
source: 10.1.0.120 [Inside]
dst: 10.1.2.214
proto: 6
sport: 443 dport: 15715
state: INIT type: FLOW
src user: unknown <<<<<<<<<<
dst user: paloaltonetworks.com\johndoe
- There should be no IP filters set as well. It should be purely based on username filter to capture Clientless VPN captures
b. Set the below filters and capture stages for firewall packet captures
Note: Since the filter would be set by the username, IP address filters would not be required in this case. Please make sure the username matches the one seen in the output of the command show global-protect-portal current-user filter-user all-users
> show clock
> show system setting ssl-decrypt memory
> show system setting ssl-decrypt dns-cache
> show system setting ssl-decrypt gp-cookie-cache
> show system setting ssl-decrypt rewrite-stats
> debug dataplane packet-diag set capture username {use the username that logs to Clientless VPN portal}
> debug dataplane packet-diag set capture stage clientless-vpn-client file client.pcap
> debug dataplane packet-diag set capture stage clientless-vpn-server file server.pcap
> debug dataplane packet-diag show setting
admin@PA-220> debug dataplane packet-diag show setting
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: no
Match pre-parsed packet: no
--------------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: no
Snaplen: 0
Username: paloaltonetworks.com\johndoe <<<<<
Stage clientless-vpn-client: file client.pcap
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage clientless-vpn-server: file server.pcap
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
--------------------------------------------------------------------------------
c. Please have the test user log out of the Clientless VPN portal
d. Enable captures on the firewall
> debug dataplane packet-diag set capture on
> debug dataplane packet-diag show setting
> show clock
Note: Please be aware that firewall packet captures would contain clear-text (unencrypted) communication between the browser and the firewall and the firewall and application
e. Open the developer tool on the browser and open console tab to see any javascript errors
f. Please have the test user log into the Clientless VPN portal and then, enable Fiddler captures as per the article Fiddler
g. Navigate to the application exhibiting the issue and then, run below commands on the firewall's CLI
> show session all filter source <Client-IP>
> show session id <ID> [for all sessions created]
> show counter global filter delta yes packet-filter yes [run this couple of times]
h. Once the issue is reproduced, stop packet captures on the firewall
> debug dataplane packet-diag set capture off
> debug dataplane packet-diag show setting
> show clock
> show system setting ssl-decrypt memory
> show system setting ssl-decrypt dns-cache
> show system setting ssl-decrypt gp-cookie-cache
> show system setting ssl-decrypt rewrite-stats
3. Please collect the Fiddler captures and browser console logs for working scenario when the user accesses the application DIRECTLY, not through the portal as per the article Fiddler
Note: Please be aware that Fiddler can collect cleartext traffic, and all user credentials (usernames/passwords) exchanged during the time of the capture, will be visible in the collected data. These packet captures contain clear-text (unencrypted) communication between the browser and the firewall, and between the firewall and the application. It is recommended to use test credentials if logging into the problematic application is needed
4. Stop the zoom recording and collect the below files and upload them to the case
- Firewall packet captures: clientless-vpn-client.pcap, clientless-vpn-server.pcap- Logged CLI session
- Fresh Tech Support file
- Browser [Developer Tools > Network tab and Developer Tools > Console tab] logs (working and non-working scenarios)
- Fiddler captures (working and non-working scenarios)
- Zoom video recording