Error message "priority is -2 with region does not match" is seen in PanGPS.log.

Error message "priority is -2 with region does not match" is seen in PanGPS.log.

7548
Created On 06/05/21 00:55 AM - Last Modified 06/07/24 21:38 PM


Symptom


  • GlobalProtect (GP) Gateway get disconnected.
  • Error message "One external gateway and it's priority is -2, region does not match" is seen in the PanGPS.log.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • GlobalProtect (GP) Gateway

Cause


  • GlobalProtect considers the source region of the connecting device when selecting the best gateway.
  • This configuration is under the GUI: Network > GlobalProtect > Portals > (name) > Agent > (agent name) > External > External Gateways 
  • When the IP address of the client does not match the region of the external gateways during network discovery , GP App gets disconnected.

Resolution


For resolving this issue you can follow one of this options:
  1. Create one external gateway without the region setting.
  2. Create the region object for users IP address
  3. Disable Region feature using the CLI command: 
> configure
# set deviceconfig setting global-protect enable-external-gateway-priority no
# commit
# exit

Additional Information


  • Priority value within the weight equation depends on the client location (source IP) .
  • Client location is determined based on the IP address seen by the Portal
  • Both Portal and Gateway return the region to the client during prelogin stage based on the client’s IP address. 
  • PanGPS.log:
Debug( 572): One external gateway and it's priority is -2, region does not match
Error(4920): NetworkDiscoverThread: failed to discover external network.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMASCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language