GlobalProtect Prelogon is not connecting after the user logs till reboot is done.

GlobalProtect Prelogon is not connecting after the user logs till reboot is done.

2738
Created On 03/08/24 03:45 AM - Last Modified 06/22/24 04:00 AM


Symptom


  • The GP client is configured with Pre-logon method using machine certificates. 
  • Once the user logs in to the machine, The connect method is "Pre-logon-Always on" using the same certificate.
  • The client connects just fine with Pre-logon but fails to connect after the user logs on until a manual restart is done.
  • The client certificate is correctly installed on the user machine.

Environment


  • GlobalProtect (GP) App
  • Prisma Access for Users
  • Pre-logon with certificate authentication

Cause


  • This happens due to the tunnel rename traffic subject to decryption which causes the client certificate based authentication to fail.
  • Once the user logs in to the machine (at this point pre-logon tunnel is already connected), The GP sends the TLS client hello through existing tunnel to rename the tunnel.
  • This fails if the gateway (Prisma Access in this case) is decrypting the traffic since the client certificate is used for authentication.
  • The restart of the PanGPS service fixes the issue since there is no existing tunnel now and the traffic to gateway is not decrypted.

Resolution


  1. Exclude traffic to *.gpcloudservice.com from Decryption policies. 
  2. Alternatively, Use split tunnel to exclude domain  *.gpcloudservice.com from GP client so this traffic is not routed over Prisma Access.

Additional Information


  • The PanGPS logs would show following errors when the client is consistently attempting to connect but fails.
08:00:36:962 PostRequest error code=2164260864()
08:00:36:962 ERROR_WINHTTP_SECURE_FAILURE, clean m_pMachineCertCtx. Retry
08:04:00:474 Disconnect(Prelogn tunnel rename failed) called
  • To identify the problem, Find the pre-logon client IP and gateway IP from PanGPS.log file.
  • Check the decryption and traffic logs with source IP as GP client IP and destination and gateway public IP in the logs to confirm if this connection is subject to decryption and failing.
ssl trust 53395 192.168.1.15 Security-rule-1 allow untrust 443 x.x.x.x (IP address of the gateway client is attempting to connect)
decrypt-cert-validation


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008XTQCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail