GlobalProtect
Troubleshoot Clientless VPN
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1 (EoL)
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- 6.1
- 6.0
- 5.1
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
End-of-Life (EoL)
Troubleshoot Clientless VPN
Because this feature involves dynamic re-writing of
HTML applications, the HTML content for some applications may not re-write
correctly and break the application. If issues occur, use the commands
in the following table to help you identify the likely cause:
Action | Command |
---|---|
CLI Commands | |
List the version of Clientless VPN dynamic
content being used You can also view the dynamic update version
from the DeviceDynamic UpdatesGlobalProtect Clientless VPN. | show system setting ssl-decrypt memory
proxy uses shared allocator
SSL certificate cache:
Current Entries: 1
Allocated 1, Freed 0
Current CRE (61-62) : 3456 KB (Actual 3343 KB)
Last CRE (60-47) : 3328 KB (Actual 3283 KB) In
this example, the current dynamic update is version 61-62, and the
last installed dynamic update is version 60-47. |
List active (current) users of Clientless
VPN | show global-protect-portal current-user portal GPClientlessPortal filter-user all-users
GlobalProtect Portal : GPClientlessPortal
Vsys-Id : 1
User : paloaltonetworks.com\johndoe
Session-id : 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0
Client-IP : 5.5.5.5
Inactivity Timeout : 1800
Seconds before inactivity timeout : 1750
Login Lifetime : 10800
Seconds before login lifetime : 10748
Total number of user sessions: 1 |
Show DNS resolution results This can
be useful to determine if there are DNS issues. If there is a DNS issue,
you will notice querying against an FQDN that was not resolvable
in the CLI output. | show system setting ssl-decrypt dns-cache
Total DNS cache entries: 89
Site IP Expire(secs) Interface
bugzilla.panw.local 10.0.2.15 querying 0
www.google.com 216.58.216.4 Expired 0
stats.g.doubleclick.net 74.125.199.154 Expired 0 |
Show all Clientless VPN user sessions and
cookies stored | show
system setting ssl-decrypt gp-cookie-cache
User: johndoe, Session-id: 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0,
Client-ip: 199.167.55.50 |
Show rewrite-stats This is useful
to identify the health of the Clientless VPN rewrite engine. Refer
to Table:
Rewrite Engine Statistics for information on rewrite statistics
and their meaning or purpose. | show system setting ssl-decrypt rewrite-stats
Rewrite Statistics
initiate_connection : 11938
setup_connection : 11909
session_notify_mismatch : 1
reuse_connection : 37
file_end : 4719
packet : 174257
packet_mismatch_session : 1
peer_queue_update_rcvd : 167305
peer_queue_update_sent : 167305
peer_queue_update_rcvd_failure: 66
setup_connection_r : 11910
packet_mismatch_session_r : 22
pkt_no_dest : 23
cookie_suspend : 2826
cookie_resume : 2826
decompress : 26
decompress_freed : 26
dns_resolve_timeout : 27
stop_openend_response : 43
received_fin_for_pending_req : 26
Destination Statistics
To mp : 4015
To site : 12018
To dp : 17276
Return Codes Statistics
ABORT : 18
RESET : 30
PROTOCOL_UNSUPPORTED : 7
DEST_UNKNOWN : 10
CODE_DONE : 52656
DATA_GONE : 120359
SWITCH_PARSER : 48
INSERT_PARSER : 591
SUSPEND : 2826
Total Rewrite Bytes : 611111955
Total Rewrite Useconds : 6902825
Total Rewrite Calls : 176545 |
Debug Commands | |
Enable debug logs on the firewall running
Clientless VPN Portal | debug dataplane packet-diag set log feature ssl all debug dataplane packet-diag set log feature misc all debug dataplane packet-diag set log feature proxy all debug dataplane packet-diag set log feature flow basic debug dataplane packet-diag set log on |
Enable packet capture on the
firewall running the Clientless VPN Portal | debug dataplane packet-diag set capture username <portal-username> debug dataplane packet-diag set capture stage clientless-vpn-client file <clientless-vpn-client-file> debug dataplane packet-diag set capture stage clientless-vpn-server file <clientless-vpn-server-file> debug dataplane packet-diag set capture stage firewall file <firewall-file> debug dataplane packet-diag set capture stage receive file <receive-file> debug dataplane packet-diag set capture stage transmit file <transmit-file> debug dataplane packet-diag set capture on When
you execute packet capture commands, a consent page appears after
end users log in to the Clientless VPN portal, informing them that
the packets captured during their user session will contain unencrypted
(clear-text) data. If users consent to the packet capture session,
they then proceed to the applications landing page, where packet
capture begins. If users do not consent to the packet capture session,
they are logged out of the Clientless VPN portal and must contact
an administrator to proceed with a regular user session (without packet
capture). If you execute packet capture commands for user
sessions that are already in progress, those users are automatically
logged out of the Clientless VPN portal and must log back in to
accept or decline the packet capture session. |
Show packet capture files | debug dataplane packet-diag show setting
----------------------------------------------------------
Packet diagnosis setting:
----------------------------------------------------------
Packet filter
Enabled: no
Match pre-parsed packet: no
----------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
Counters:
----------------------------------------------------------
Packet capture
Enabled: yes
Snaplen: 0
Username: test1
Stage clientless-vpn-client: file client.pcap
Captured: packets - 3558 bytes - 11366322
Maximum: packets - 0 bytes - 0
Stage clientless-vpn-server: file server.pcap
Captured: packets - 1779 bytes - 5651923
Maximum: packets - 0 bytes - 0
---------------------------------------------------------- |
Export packet capture files to a Secure
Copy (SCP) server | scp export filter-pcap + remote-port SSH port number on remote host + source-ip Set source address to specified interface address * from from * to Destination (username@host:path) scp export filter-pcap from <source-file> to <scp-server> Destination (username@host:path) |
Statistic | Description |
---|---|
initiate_connection_failure | Connection initiation failed to back-end
host |
setup_connection_failure | Connection setup failed |
setup_connection_duplicate | Duplicate peer session exists |
session_notify_mismatch | Mostly invalid session |
packet_mismatch_session | Failed to find right session for incoming
packet |
peer_queue_update_rcvd_failure | Session was invalid when packet update received
by peer |
peer_queue_update_sent_failure | Failed to send packet updates to peer or
failed to send packet queue length updates to peer |
exceed_pkt_queue_limit | Too many packets queued |
proxy_connection_failure | Proxy connection failed |
setup_connection_r | Installing the peer session to the application
server. This value should match the values for initiate_connection and setup_connection. |
setup_connection_duplicate_r | Duplicate sessions already in proxy |
setup_connection_failure_r | Failed to set up the peer session |
session_notify_mismatch_r | Peer session not found |
packet_mismatch_session_r | Peer session not found when trying to get
the packet |
exceed_pkt_queue_limit_r | Too many packets held |
unknown_dest | Failed to find destination host |
pkt_no_dest | No destination for this packet |
cookie_suspend | Suspended session to fetch cookies |
cookie_resume | Received response from MP with updated cookies.
This value generally matches the value of cookie_suspend. |
decompress_failure | Failed to decompress |
memory_alloc_failure | Failed to allocate memory |
wait_for_dns_resolve | Suspended session to resolve DNS requests |
dns_resolve_reschedule | Rescheduled DNS query due to no response
(retry before timeout) |
dns_resolve_timeout | DNS query timeout |
setup_site_conn_failure | Failed to setup connection to site (proxy,
DNS) |
site_dns_invalid | DNS resolve failed |
multiple_multipart | Multi-part content-type processed |
site_from_referer | Received the back-end host from referrer.
This can indicate failed rewrite links from flash or other content
which Clientless VPN does not rewrite. |
received_fin_for_pending_req | Received FIN from server for pending request
from client |
unmatched_http_state | Unexpected HTTP content. This can indicate
an issue parsing the http headers or body. |