Internal Host Detection configured but Global Protect Users still connecting to External Gateway
37267
Created On 12/15/20 21:16 PM - Last Modified 10/19/21 21:14 PM
Symptom
- Internal Host Detection configured.
- Users connecting from the inside network.
- Connection succeeds to external gateway instead of internal.
- Looking at the clients Global Protect PanGPS.log shows "DnsQuery returns 9003"
13:33:48:529 No <host> or <ip-address> in internal-host-detection
13:33:48:599 IP 10.10.10.10
13:33:48:599 host 10.10.10.10
13:33:49:601 DnsQuery returns 9003
13:33:49:601 Resolved 254.10.10.10.in-addr.arpa for internal host detection with return value 9003
13:33:49:601 NetworkDiscoverThread: network type is external.
13:33:49:601 NetworkDiscoverThread: Discover external network.
Environment
- Prisma Access (Panorama Managed)
- Global Protect Configured.
Cause
- Error Code 9003 means 'DNS name does not exist' (See Additional Info for article on DNS Response)
- The IP address configured for Internal Host Detection in GlobalProtect client configuration does not match to the DNS name specified.
Resolution
Configure Host that can be resolved internally.
- Log into Panorama
- Click on GUI: Panorama > Cloud Services > Configuration
- Click Mobile Users tab
- Under Onboarding select the Configuration you wish to configure
- General > Internal Host Detection (Click the Checkbox to enable)
- Enter the IP Address of a host that can be reached from the internal network only
- Enter the DNS Hostname for the IP address you entered.
- Click OK
- Commit and Push to Prisma
Additional Information
Configure Prisma Access for Users (See Step 6, number 5 for Internal Host Detection)
Most Common DNS Query Responses for Internal Host Detection