What is happening when Global Protect is stuck on Connecting, we have pre logon (Always on)?
Answer will be in the logs as usual
You’re going to need to provide more useful information for anyone to provide a useful answer.
If you can’t see anything on the firewall’s GP logs, you’ll get a decent suggestion by exporting the client logs and checking the GPA file.
Confirm your Palo Alto FW (and if you have two in a HA mode) that has the correct NTP. We experiencing not a stuck but users unable to connect due to Cookie Expired. But also look at the GlobalProtect logs. If you have support with a vendor, open a ticket.
Global Protect 6.2.1 version
I was hoping someone have similar problems
What version of PAN-OS?
See if you can ping the GW or portal from the client. We had an issue where the IP was blocked because of brute-force detection kicking in and blocking the users IP. Once I cleared that, the user could connect. Doubt it is your issue, but thought I would offer this.
Yeah i know that, i did go through logs but i just dont see anything
Thats right, user is trying to connect after successfully authenticate (username, password and OTP) but it was stucked at retrieving portal configuration. Can pre logon cause this error? I cant provide logs
A common issue I’ve found (if this happens post authentication, as you’ve suggested in another comment) is that the GP gateway is trying to assign config which will include an IP from the GP pool, but the host machine already has an IP in the same subnet from the local DHCP server (I.e. home isp router).
The machine won’t allow two interfaces with the same network so, it just fails to successfully assign an address.
Easy workaround is to use two pools for the gateway. If it can’t assign an address from 192.168.0.0/25 then it can try again from 172.16.0.0/24.
Make sure the two subnets are diverse enough (like in my example above) to be certain the host isn’t using a supernet that covers both pools you offer.
HTH
Thank you for the response, its not in a HA mode, I will check NTP, but we noticed cookie expired errors in the logs too. Do your cookies expired randomly, i assume you cant connect with expired cookie. Why is firewall using expired cookie in the first place, is it a bug, it should generate a new one.
Try to restart your machine?
Try 6.2.2 fixed it for us. Related to a known issue in the driver according to TAC. Look in PanGPS.log for a line like “DRBG selftest: failed”.
Thank you for the response. What do you mean by brute force kicking in?
Thank you for this detail response, I will do exactly as you say
Can i message you about some other issue that i am encountering in our enviroment, something with OTP password and connection failure.
I am not sure it’s a bug issue. Again, for us when we noticed VPN clients couldn’t connect and then I checked the logs under GlobalProtect, it would displays “cookie expired”. I did open a ticket with support and performed troubleshooting. They also thought it was a bug but at the end, I did heavy research and found the solution, which was the NTP. We were pointing the NTP to our domain controllers. After updating to a public NTP, it fixed the issue. Again, our issue with GP was not issues getting stuck in the connecting but that it could not valid their accounts.
Thank you for the response, i can do disconnect and connect again but im intersted why is this happening