Globalprotect Is Constantly Disconnecting From and Reconnecting to Internal Gateways

Globalprotect Is Constantly Disconnecting From and Reconnecting to Internal Gateways

4667
Created On 03/22/22 17:01 PM - Last Modified 09/26/23 03:35 AM


Symptom


  • Globalprotect is constantly disconnecting from and reconnecting to Internal Gateways, when multiple internal gateways are configured.
  • Due to this, IP mappings are also flapping.

Environment


  • Palo Alto Firewalls
  • PAN-OS 9.1 and above
  • GlobalProtect
  • Internal Gateways

Cause


  • If multiple internal gateways are configured in the Portal configuration, GlobalProtect will will decide which ones to connect to and this may result in multiple Internal Gateways being connected to at the same time.
  • In the example below, GlobalProtect logs show 2 internal gateway connections at the same time. 
Note: The logs mentioned below are found in "pan_gp_event.log" or "PanGPS.log". To collect the same refer to View and Collect Globalprotect Logs
 
intgw.JPG
  
[Info ]: Auto Gateway login finished with address 10.50.10.1 and user John.Doe.
[Info ]: Auto Gateway login finished with address intgateway1.paloalto.local and user John.Doe.
  • GlobalProtect logs show that this is the same Gateway is configured twice. Once using an IP address, and the second time using an FQDN.. 
Gateway 10.50.10.1: ipv4 10.50.10.1, ipv6 , FQDN no
Gateway intgateway1.paloalto.local: ipv4 10.50.10.1, ipv6 , FQDN yes
  • After logging in, a HIP Report Check is performed to each gateway. If the same gateway is in the list twice, one will succeed and the other will fail due to an invalid authentication cookie.
Success:
[Info ]: Completed HIP Report check with Gateway intgateway1.paloalto.local.
Failure:
non-success status of the HIP report check response from gateway 10.50.10.1, user John.Doe, portal PaloAlto, client-ip , error Invalid authentication cookie, md5
  • This failure causes a network discovery event:
Set network discover event because of invalid gateway auth cookie.
  • This causes all gateways to be logged out and reconnected to:
Logging out gateway, reason is Network discover
Logging out gateway 0, 10.50.10.1
Logging out gateway 1, intgateway1.paloalto.local

Resolution


  1. Gateway must not be configured twice even even if the the entries are entered using different address methods (IP and FQDN).
  2. Configure the gateway only once, by removing the duplicate configuration.
  3. Commit the configuration.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNRoCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail