IPv6: GlobalProtect App unable to connect to nearest gateway when dual stack is involved
1923
Created On 01/31/24 18:26 PM - Last Modified 05/25/24 03:42 AM
Symptom
- The GPS logs show region code is empty:
:181 REGION-PRIO, regionCode is empty, we just return m_iPriority=1 without comparing it :181 REGION-PRIO, regionCode is empty, we just return m_iPriority=1 without comparing it ...(output omitted).... :481 ----Network Discover starts---- ...(output omitted).... 423 Gateway gw01-xxxx(Default-A): ipv4 xx.xx.xx.161, ipv6 2a01:yyyy:0:xxxx::161, FQDN yes ...(output omitted).... :493 --Set state to Discovering network... ........ :423 Set network discover in progress :423 UpdatePrelogonStateForSSO() - tunnel state = Connecting :424 create thread 0xb80 with thread ID 5568 :424 IP 10.56.7.207 :447 NetworkDiscoverThread: network type is external. :447 NetworkDiscoverThread: Discover external network. :447 Discover external gateway: gateway count is 2, cutoff time is 5, bJustResumed=0 :447 create thread 0xbb8 with thread ID 12448 :447 create thread 0x6d8 with thread ID 12456
- All the Gateway priorities will automatically change to 1.
<gateway-list name="gateway-list" type="external" user="xxxxx">
<entry>
<gateway>gw01....</gateway>
<tunnel>yes</tunnel>
<manual>yes</manual>
<description>Full-Tunnel-A</description>
<allow-tunnel>yes</allow-tunnel>
<passwd-expire-days>-1</passwd-expire-days>
<priority>1</priority>
<internal>no</internal>
<authenticated>yes</authenticated>
</entry>
Environment
- Palo Alto Firewalls
- PAN-OS Version 10.2.4
- GlobalProtect (GP) App Version 6.0.7
Cause
- The issue has been present since the implementation of region-based priority in 2016.
- The root cause server (GP portal) fails to send region information when GP connects to the portal with IPv6. In the absence of region information from the server, GP assigns the highest priority to the gateway.
Resolution
- The issue is resolved under GPC 18379
- The fix is available in 6.1.3, 6.0.8, 6.2.3 GP client versions.