Unable to Connect to Prisma Access Gateway Due to TCP Connection Timeout

Unable to Connect to Prisma Access Gateway Due to TCP Connection Timeout

1663
Created On 10/30/22 09:19 AM - Last Modified 05/23/24 22:45 PM


Symptom


  • When user is unable to connect to Prisma Access gateway due to TCP connection timeout, the following messages are displayed in PanGPS.log:
18:19:49:192 Network is reachable
18:19:54:259 connect failed with 5 seconds timeout.
18:19:54:259 Failed to connect to xxx.xxx.xxx.xxx on 443 with return value -1 and socket error 0(0)
18:19:55:814 do_tcp_connect() failed
18:19:55:814 ConnectSSL: Failed to connect to 'xxx.xxx.xxx.xxx:443'. Disconnect ssl.
18:19:55:814 Cannot get server cert of xxx.xxx.xxx.xxx
18:19:55:814 Already tried both ipv4 and ipv6 for gateway australia-south-yyy.zzz.gw.gpcloudservice.com
18:19:55:814 pretunnel latency (manual gateway) is 1
18:19:55:814 Failed to connect to gateway australia-south-yyy.zzz.gw.gpcloudservice.com.
18:19:55:814 pg, error message for manual select gateway will not show.
18:19:55:814 Show Gateway Australia South: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
  • On the GlobalProtect Client UI, it will shown as generic Connection Failed error message as follow.
image.png
Note: The gateway name and IP address on the sample log above is for representative purpose only.
 

Environment


  • Prisma Access Mobile Users
  • GlobalProtect (GP) App

Cause


  • Starting with Content Release version 777-4484, the default TCP connection timeout value is 5 seconds (previous default value is 60 seconds).
  • GlobalProtect client does not receive response for TCP connection request from the Prisma Access gateway within 5 seconds window.
  • The connection now fails due to  TCP connection timeout.

Resolution


Increase the TCP connection timeout setting to allow longer time for GlobalProtect client to wait for the response of TCP connection request from the Prisma Access gateway.

To change the TCP connection timeout setting on Panorama managed Prisma Access:

  1. Navigate to Templates > Network and select the Mobile Users template from the Template drop down list.
image.png
  1. Navigate to GlobalProtect > Portals > [portal-config] > Agent > [agent-config] > App. Locate the TCP Connection Timeout (sec) and change the value accordingly (default is 5 seconds).
  image.png
  1. Click OK to apply the changes.
  2. Commit and push the new config to Prisma Access.
  3. GlobalProtect client will obtain the new app setting upon successful connection to the Portal.

To change the TCP connection timeout setting on Cloud managed Prisma Access:

  1. Navigate to https://sase.paloaltonetworks.com/ and sign in with your account.
  2. On the left pane menu, select Manage > Service Setup > GlobalProtect > GlobalProtect App.
image.png
  1. Navigate to App Settings > [app-setting-config] > App Configuration > Show Advanced Options.
image.png
  1. Navigate to Connection Behavior > TCP Connection Timeout (sec) and change the value accordingly (default is 5 seconds).
image.png
  1. Click Save to apply the changes.
  2. Push the config to Prisma Access.
  3. GlobalProtect client will obtain the new app setting upon successful connection to the Portal.
 
 

Additional Information


GlobalProtect Portals Agent App Tab
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZmICAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail