GlobalProtect agent fails to connect and shows "Invalid portal" after the user logs in to an endpoint.

GlobalProtect agent fails to connect and shows "Invalid portal" after the user logs in to an endpoint.

42798
Created On 12/19/19 08:52 AM - Last Modified 06/15/22 03:18 AM


Symptom
GlobalProtect connect method "User-logon (Always On)" enables the agent to automatically connect to portal after the user login:

User-added image

Instead of a successful connection, agent shows "Invalid portal".
 


Environment
In the environments where the endpoints face an initial delay in connecting to network, agent will not be able to connect to portal.
It can be seen in the below snapshot that the ping results in "General Failure" and the network adapter icon on task bar shows a no internet connection.

(snapshot1):
User-added image

Even after the network connectivity is established, agent stays in "Not Connected" state and does not attempt to connect to portal.
It can be seen in the below snapshot that ping response is coming and network adapter icon on task bar also shows internet connection.

(snapshot2):
User-added image

Upon user click on "Connect" option, user is prompted to enter username and password to connect to portal.

(snapshot3):
User-added image


Cause
Above behaviour is seen due to unavailability of the network while agent tries to connect to portal.
At the same time agent also tries to use cached portal configuration but it fails to do so due to empty user.
Portal status is set to "Invalid portal" and state is set to Disconnected after which agent does not attempt to connect again.

Below is a sample PanGPS.log from GlobalProtect agent logs:

(T4332) 12/18/19 12:14:01:278 Debug(5765): ----Portal Pre-login starts----
(T4332) 12/18/19 12:14:01:278 Debug(4114): TriggerCaptivePortalDetection()  return due to captive portal detection is in progress (0) or PreLogin is Done (1) 
(T4332) 12/18/19 12:14:01:294 Debug(5786): Network is not available
(T4332) 12/18/19 12:14:01:294 Debug(6916): Failed to get portal config from portal 172.16.59.1.
(T4332) 12/18/19 12:14:01:294 Debug(6944): Try to restore last portal config from file.
(T4332) 12/18/19 12:14:01:294 Debug(6986): Skip retrieve cached portal configuration for empty user
(T4332) 12/18/19 12:14:01:294 Debug(6936): portal status is Invalid portal.
(T4332) 12/18/19 12:14:01:294 Debug(5720): --Set state to Disconnected


Snapshot3 from the Environment section also shows empty username and password.

Upon checking the portal configuration, it can be seen that "Save User Credential" option is set to 'No':
User-added image


Resolution
Above issue while using "User-logon (Always On)" connect method can be avoided if the "Save User Credential" option is set to either 'Yes' or "Save Username Only" :

User-added image

In case there is an initial delay in endpoint connecting to network agent will not set state to "Invalid portal" and continue using the cached portal configuration:

(T4332) 12/18/19 12:29:09:449 Debug(5765): ----Portal Pre-login starts----
(T4332) 12/18/19 12:29:09:449 Debug(4114): TriggerCaptivePortalDetection()  return due to captive portal detection is in progress (0) or PreLogin is Done (1) 
(T4332) 12/18/19 12:29:09:465 Debug(5786): Network is not available
(T4332) 12/18/19 12:29:09:715 Debug(6936): portal status is Using cached portal config.


As long as there is no network connectivity to the endpoint, agent will stay in connecting state:

User-added image

Once the network connectivity is available, agent makes a successful connection without any user intervention:

User-added image


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PNuF&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language