Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not working after update to v2.1.4 #346

Open
rednag opened this issue Apr 15, 2024 · 26 comments
Open

Not working after update to v2.1.4 #346

rednag opened this issue Apr 15, 2024 · 26 comments

Comments

@rednag
Copy link

rednag commented Apr 15, 2024
edited

Describe the bug
Trying to connect to our portal and I'm getting the following error

Connection Failed
error sending request for url (https://...): error trying to connect: dns error: failed to lookup address information: Name or service not known

Expected behavior
Connecting to the GP portal.

Screenshots
If applicable, add screenshots to help explain your problem.

Logs

[2024-04-15T12:40:00Z INFO  gpgui::portal_connector] Connecting to the portal: p**********m...
[2024-04-15T12:40:00Z INFO  gpgui::portal_connector] Trying to connect the gateway directly...
[2024-04-15T12:40:00Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: g**********m...
[2024-04-15T12:40:00Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-15T12:40:00Z INFO  gpapi::portal::prelogin] Prelogin with params: {"clientVer": "4100", "clientos": "Linux", "os-version": "Linux Ubuntu 22.04.4 LTS", "default-browser": "1", "cas-support": "yes", "tmp": "tmp", "ipv6-support": "yes"}
[2024-04-15T12:40:00Z INFO  gpgui::portal_connector] Failed to connect the gateway directly: Network error: error sending request for url (https://yyy.xxx.com/ssl-vpn/prelogin.esp): error trying to connect: dns error: failed to lookup address information: Name or service not known
[2024-04-15T12:40:00Z INFO  gpgui::portal_connector] Trying to connect portal with cached credential...
[2024-04-15T12:40:00Z INFO  gpgui::portal_connector] Fetching the portal config...
[2024-04-15T12:40:00Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-15T12:40:00Z INFO  gpgui::portal_connector] Retrieved 2 gateway(s) from the portal, updating...
[2024-04-15T12:40:00Z INFO  gpgui::portal_connector] Performing gateway login, gateway: g**********m...
[2024-04-15T12:40:00Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-15T12:40:00Z INFO  gpgui::portal_connector] Failed to connect portal with cached credential: Network error: error sending request for url (https://yyy.xxx.com/ssl-vpn/login.esp): error trying to connect: dns error: failed to lookup address information: Name or service not known
[2024-04-15T12:40:00Z INFO  gpgui::portal_connector] Trying to connect the portal with prelogin...
[2024-04-15T12:40:00Z INFO  gpgui::portal_connector] Performing portal prelogin...
[2024-04-15T12:40:00Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-15T12:40:00Z INFO  gpapi::portal::prelogin] Prelogin with params: {"os-version": "Linux Ubuntu 22.04.4 LTS", "tmp": "tmp", "default-browser": "1", "ipv6-support": "yes", "clientVer": "4100", "cas-support": "yes", "clientos": "Linux"}
[2024-04-15T12:40:01Z INFO  gpgui::portal_connector] Authenticating portal...
[2024-04-15T12:40:01Z INFO  gpgui::portal_connector] Launching SAML authentication...
[2024-04-15T12:40:01Z INFO  gpauth::cli] gpauth started: 2.1.4 (2024-04-10)
[2024-04-15T12:40:01Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-15T12:40:03Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-04-15T12:40:03Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-15T12:40:03Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/442cb905-2091-12f4-90b9-e768cf22851a/saml2?SAMLRequest=l**********%3D&RelayState=N**********%3D
[2024-04-15T12:40:03Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-15T12:40:03Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-15T12:40:03Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-15T12:40:03Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-15T12:40:03Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-15T12:40:03Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-04-15T12:40:03Z INFO  gpauth::auth_window] Raise window cancelled
[2024-04-15T12:40:04Z INFO  gpauth::auth_window] Loaded uri: https://p**********m/SAML20/SP/ACS
[2024-04-15T12:40:04Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-15T12:40:04Z INFO  gpauth::auth_window] Got auth data from headers
[2024-04-15T12:40:04Z INFO  gpgui::portal_connector] Fetching the portal config...
[2024-04-15T12:40:04Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-15T12:40:04Z INFO  gpgui::portal_connector] Retrieved 2 gateway(s) from the portal, updating...
[2024-04-15T12:40:04Z INFO  gpgui::portal_connector] Performing gateway login, gateway: g**********m...
[2024-04-15T12:40:04Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-15T12:40:04Z INFO  gpgui::portal_connector] Gateway login failed: Network error: error sending request for url (https://yyy.xxx.com/ssl-vpn/login.esp): error trying to connect: dns error: failed to lookup address information: Name or service not known
[2024-04-15T12:40:04Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: g**********m...
[2024-04-15T12:40:04Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-15T12:40:04Z INFO  gpapi::portal::prelogin] Prelogin with params: {"tmp": "tmp", "cas-support": "yes", "clientos": "Linux", "default-browser": "1", "clientVer": "4100", "ipv6-support": "yes", "os-version": "Linux Ubuntu 22.04.4 LTS"}
[2024-04-15T12:40:04Z INFO  gpgui::portal_connector] Failed to connect the portal with prelogin: Network error: error sending request for url (https://yyy.xxx.com/ssl-vpn/prelogin.esp): error trying to connect: dns error: failed to lookup address information: Name or service not known
[2024-04-15T12:40:04Z INFO  gpgui::portal_connector] Trying to connect the portal as a gateway...
[2024-04-15T12:40:04Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: p**********m...
[2024-04-15T12:40:04Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-15T12:40:04Z INFO  gpapi::portal::prelogin] Prelogin with params: {"cas-support": "yes", "clientVer": "4100", "os-version": "Linux Ubuntu 22.04.4 LTS", "tmp": "tmp", "default-browser": "1", "clientos": "Linux", "ipv6-support": "yes"}
[2024-04-15T12:40:05Z WARN  gpgui::portal_connector] Failed to connect to the portal: Portal prelogin error: Prelogin failed: GlobalProtect gateway does not exist

Environment:

OS: Ubuntu 22.04
Desktop Environment: GNOME
user 3883 0.0 0.0 241356 7100 ? Sl Mär23 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
Is remote SSH? No

Additional context
The free to use version worked out of the box and now I have a demo version which is not working?
@yuezk
Copy link
Owner

yuezk commented Apr 15, 2024
edited

@rednag Have you ever tried switching the gateway from the menu?

@rednag
Copy link
Author

rednag commented Apr 15, 2024

Yes, does not work.

@yuezk
Copy link
Owner

yuezk commented Apr 15, 2024

The information I got from the logs is:

  • Your portal has two gateways
  • The client tried to connect to one of the gateways but it reported an error failed to lookup address information: Name or service not known
  • Then the client tried to connect the portal address as a gateway, but it reported GlobalProtect gateway does not exist.

Looks like the key is that the gateway is not reachable from your machine.

@rednag Can you try ping <gateway address> from your machine to see if the gateway is reachable? The <gateway address> is the address you redacted in the logs.

@rednag
Copy link
Author

rednag commented Apr 16, 2024

The address is pingable and with 1.4.8 the connection is established.

@yuezk
Copy link
Owner

yuezk commented Apr 16, 2024
edited

It's weird since the host resolving is done by the OS and I didn't intercept it. I will continue working on investigating why it couldn't resolve the gateway host name by checking if the modules I used have this limitation.

On the other hand, would you mind sending me the work logs of the old client?

@rednag
Copy link
Author

rednag commented Apr 17, 2024

If you can tell me where they are stored since the location of the logs must be a different, because ~/.local/share/gpclient/gpclient.log is still the one from 2.1.4.

@yuezk
Copy link
Owner

yuezk commented Apr 17, 2024

The old client won't log into a file. Instead, you need to run gpclient in the Terminal and collect the outputs.

@rednag
Copy link
Author

rednag commented Apr 17, 2024

`2024-04-17 11:38:03.995 INFO [33540] [main@24] GlobalProtect started, version: 1.4.8+28snapshot.g4a3f74f
libGL error: failed to open /dev/dri/card0: Permission denied
libGL error: failed to open /dev/dri/card0: Permission denied
libGL error: failed to load driver: iris
2024-04-17 11:38:04.115 INFO [33540] [GPClient::populateGatewayMenu@133] Populating the Switch Gateway menu...
2024-04-17 11:38:05.748 INFO [33540] [GPClient::populateGatewayMenu@133] Populating the Switch Gateway menu...
2024-04-17 11:38:05.809 INFO [33540] [GPClient::doConnect@238] Start connecting...
2024-04-17 11:38:05.809 INFO [33540] [GPClient::doConnect@254] Start gateway login using the previously saved gateway...
2024-04-17 11:38:05.809 INFO [33540] [GPClient::gatewayLogin@361] Performing gateway login...
2024-04-17 11:38:05.811 INFO [33540] [GatewayAuthenticator::authenticate@28] Start gateway authentication...
2024-04-17 11:38:05.811 INFO [33540] [GatewayAuthenticator::login@41] Trying to login the gateway at https://xxx.yyy.com/ssl-vpn/login.esp, with prot=https%3A&server=&jnlpReady=jnlpReady&computer=HPd01&ok=Login&direct=yes&clientVer=4100&clientos=win&os-version=Ubuntu 22.04.4 LTS&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=&passwd=&portal-userauthcookie=&inputStr=
2024-04-17 11:38:05.982 ERROR [33540] [GatewayAuthenticator::onLoginFinished@53] Failed to login the gateway at https://xxx.yyy.com/ssl-vpn/login.esp, Error transferring https://xxx.yyy.com/ssl-vpn/login.esp - server replied: status code 512
2024-04-17 11:38:05.982 INFO [33540] [GatewayAuthenticator::doAuth@81] Perform the gateway prelogin at https://xxx.yyy.com/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=win
2024-04-17 11:38:06.016 INFO [33540] [GatewayAuthenticator::onPreloginFinished@98] Gateway prelogin succeeded.
2024-04-17 11:38:06.016 INFO [33540] [PreloginResponse::parse@26] Start parsing the prelogin response...
2024-04-17 11:38:06.016 INFO [33540] [GatewayAuthenticator::samlAuth@152] Trying to perform SAML login with saml-method REDIRECT

DevTools listening on ws://127.0.0.1:12315/devtools/browser/33bae9c6-a46e-4ec9-a8de-2569fe33242d
2024-04-17 11:38:06.068 INFO [33540] [SAMLLoginWindow::login@49] Redirect to https://login.microsoftonline.com/442cb905-2091-12f4-90b9-e768cf22851a/saml2?SAMLRequest=rVLLTsMwEPyVyHcnjuM%2BYrWVSnugUhEVKRy4IMdxU0vJungdoH9P2oKAS08cVzuax85OULXNQc67sIcH89oZDNFH2wDK82JKOg%2FSKbQoQbUGZdCymN%2BtJY%2BZPHgXnHYNieaIxgfrYOEAu9b4wvg3q83jw3pK9iEcUCZJbXyr4EjR9WpUw95C1WFcHxCONRw5QFy%2F96NuXFfhhSDWrpVCZMlJlLOk2CTzRUGiZW%2FUgjpJ%2Fgg0rrYQt1Z7h24XHDQWzgzJkAtd5mxAOctTKlIjaM7KnJrRcKx3nI8HqUpOiTmJVsspeSkzpbVIMyVMlZeK5UOVam2qasDScVYNexhiZ1aAQUGYEs64oEzQdLRluczGkg2eSbT5OtBNn9RCff2a5QWE8na73dDNfbEl0ZPxeI7YA8hscnIoz8L%2BV0vXadV3NWT2v0VMkl92Zpfp7yfNPgE%3D&RelayState=d2UZAIHVvmUwOWVmZTFmNS1jOWFkLTQ0ZjUtYWExNC02ZDE4MTI3MjA1NmY%3D
Remote debugging server started successfully. Try pointing a Chromium-based browser to http://127.0.0.1:12315
2024-04-17 11:38:06.438 INFO [33540] [SAMLLoginWindow::onResponseReceived@69] Trying to receive authentication cookie from https://login.microsoftonline.com/442cb905-2091-12f4-90b9-e768cf22851a/saml2?SAMLRequest=rVLLTsMwEPyVyHcnjuM%2BYrWVSnugUhEVKRy4IMdxU0vJungdoH9P2oKAS08cVzuax85OULXNQc67sIcH89oZDNFH2wDK82JKOg%2FSKbQoQbUGZdCymN%2BtJY%2BZPHgXnHYNieaIxgfrYOEAu9b4wvg3q83jw3pK9iEcUCZJbXyr4EjR9WpUw95C1WFcHxCONRw5QFy%2F96NuXFfhhSDWrpVCZMlJlLOk2CTzRUGiZW%2FUgjpJ%2Fgg0rrYQt1Z7h24XHDQWzgzJkAtd5mxAOctTKlIjaM7KnJrRcKx3nI8HqUpOiTmJVsspeSkzpbVIMyVMlZeK5UOVam2qasDScVYNexhiZ1aAQUGYEs64oEzQdLRluczGkg2eSbT5OtBNn9RCff2a5QWE8na73dDNfbEl0ZPxeI7YA8hscnIoz8L%2BV0vXadV3NWT2v0VMkl92Zpfp7yfNPgE%3D&RelayState=d2UZAIHVvmUwOWVmZTFmNS1jOWFkLTQ0ZjUtYWExNC02ZDE4MTI3MjA1NmY%3D
2024-04-17 11:38:06.438 INFO [33540] [SAMLLoginWindow::checkSamlResult@80] Checking the authentication result...
2024-04-17 11:38:06.633 INFO [33540] [SAMLLoginWindow::onResponseReceived@69] Trying to receive authentication cookie from https://xxx.yyy.com/SAML20/SP/ACS
2024-04-17 11:38:06.633 INFO [33540] [SAMLLoginWindow::checkSamlResult@80] Checking the authentication result...
2024-04-17 11:38:06.648 INFO [33540] [SAMLLoginWindow::onLoadFinished@109] Load finished https://xxx.yyy.com/SAML20/SP/ACS
2024-04-17 11:38:06.649 INFO [33540] [SAMLLoginWindow::checkSamlResult@80] Checking the authentication result...
2024-04-17 11:38:06.649 INFO [33540] [SAMLLoginWindow::checkSamlResult@97] Got the SAML authentication information successfully. username: [email protected], preloginCookie: qX8gSsneZlgHRL5uQbRkFR3rZDPXYGnpY6C2eHqQS4s75eMLApHVXM9gWuIt6p1GOs0bvw==, userAuthCookie:
2024-04-17 11:38:06.649 INFO [33540] [GatewayAuthenticator::onSAMLLoginSuccess@175] SAML login succeeded, got the prelogin-cookie qX8gSsneZlgHRL5uQbRkFR3rZDPXYGnpY6C2eHqQS4s75eMLApHVXM9gWuIt6p1GOs0bvw==
2024-04-17 11:38:06.649 INFO [33540] [GatewayAuthenticator::login@41] Trying to login the gateway at https://xxx.yyy.com/ssl-vpn/login.esp, with prot=https%3A&server=&inputStr=&jnlpReady=jnlpReady&passwd=&computer=HPd01&ok=Login&direct=yes&clientVer=4100&clientos=win&os-version=Ubuntu 22.04.4 LTS&portal-prelogonuserauthcookie=&ipv6-support=yes&user=user%40xxx.com&prelogin-cookie=qX8gSsneZlgHRL5uQbRkFR3rZDPXYGnpY6C2eHqQS4s75eMLApHVXM9gWuIt6p1GOs0bvw%3D%3D&portal-userauthcookie=
2024-04-17 11:38:06.650 ERROR [33540] [CDPCommandManager::onSocketError@86] WebSocket error1
2024-04-17 11:38:06.650 INFO [33540] [CDPCommandManager::onSocketDisconnected@81] WebSocket disconnected
2024-04-17 11:38:06.736 INFO [33540] [gpclient::helper::parseGatewayResponse@57] Start parsing the gateway response...
2024-04-17 11:38:06.736 INFO [33540] [gpclient::helper::parseGatewayResponse@58] The gateway response is:



b0a2b72bc513039b185f3749adb
c55858bb101327529f87821a3e123754ee
GlobalProtect_External_Gateway-N
[email protected]
compSaml
vsys1
(empty_domain)




tunnel
-1
4100

arB43D/c896pb1tJr/DvN3E+ZZzhpc/Hx1SJw4kb0zwkL0us9u7Kt90O5smZw9B4pQxPz8+WseC6A4q+S1FhohL8V4MIaq8pNG257p9jSqECa/YjLBuSvWEfABjTwIDQMAZcQoCnNk7V3b8ll9ujL6qHeIGob0iwjxEk/xoZD+JS09xJNhsgjjKyIbpL6DxlmGyxe9yVe6UtG6UqAn1LzuP7uQSpKtRsbAyNVNI5eCHs44VRVrzb3W/iiutaLl3W/g==
aoJgyafUZHcX3hFcZ8xB+A6fqVeEt1Sl533aX/RveYJAPCFLi9cRNhNFd4Ipak7SiiHiLuRsYUfLsq/44VQfFnLEajttVEtEanZBwvCiVZF49G1cEyphUT2zApD1DFLalij06CeRZOcDk42haa34893UsD3EgZVwBAGLYzgQX49wbodaRHomPQZ2LEgC2gwNBr9Zo3llHzSs2vUjIFcjDDM/OikUPfm6q+oRJh54y5/B/Yg20bT3o2MJicE2yESoZIfCYtuP3kYDn54pcIIpwvaQJxOylGrg==

4




2024-04-17 11:38:06.736 INFO [33540] [GPClient::onGatewaySuccess@385] Gateway login succeeded, got the cookie authcookie=b0a2b72bc513036a24f9b185f3749adb&portal=GlobalProtect_External_Gateway-N&user=user%40xxx.com&domain=%28empty_domain%29&preferred-ip=&computer=HPd01
2024-04-17 11:38:06.748 INFO [33540] [GPClient::onVPNLogAvailable@518] Output of openconnect --version: OpenConnect version v8.20-1
Using GnuTLS 3.7.3. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script

2024-04-17 11:38:06.748 INFO [33540] [GPClient::onVPNLogAvailable@518] Got extra OpenConnect args for server: xxx.yyy.com,
2024-04-17 11:38:06.748 INFO [33540] [GPClient::onVPNLogAvailable@518] Start process with arugments: --protocol=gp, -u, , --cookie-on-stdin, xxx.yyy.com
2024-04-17 11:38:06.749 INFO [33540] [GPClient::onVPNLogAvailable@518] Openconnect started successfully, PID=33638
2024-04-17 11:38:06.755 INFO [33540] [GPClient::onVPNLogAvailable@518] POST https://xxx.yyy.com/ssl-vpn/getconfig.esp

2024-04-17 11:38:06.758 INFO [33540] [GPClient::onVPNLogAvailable@518] Attempting to connect to server 120.51.173.237:443

2024-04-17 11:38:06.780 INFO [33540] [GPClient::onVPNLogAvailable@518] Connected to 120.51.173.237:443

2024-04-17 11:38:06.791 INFO [33540] [GPClient::onVPNLogAvailable@518] SSL negotiation with xxx.yyy.com

2024-04-17 11:38:06.833 INFO [33540] [GPClient::onVPNLogAvailable@518] Connected to HTTPS on xxx.yyy.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)

2024-04-17 11:38:06.868 INFO [33540] [GPClient::onVPNLogAvailable@518] Got HTTP response: HTTP/1.1 200 OK
Date: Wed, 17 Apr 2024 09:38:06 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 2142
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (2142)

2024-04-17 11:38:06.868 INFO [33540] [GPClient::onVPNLogAvailable@518] Tunnel timeout (rekey interval) is 30 minutes.
Idle timeout is 30 minutes.
Unknown GlobalProtect config tag : 10.2.4-ch210.saas
Unknown GlobalProtect config tag : yes

2024-04-17 11:38:06.868 INFO [33540] [GPClient::onVPNLogAvailable@518] TCP_INFO rcv mss 1328, snd mss 1334, adv mss 1460, pmtu 1500
Using base_mtu of 1500
After removing UDP/IPv4 headers, MTU of 1472
After removing protocol specific overhead (36 unpadded, 2 padded, 16 blocksize), MTU of 1422

2024-04-17 11:38:06.868 INFO [33540] [GPClient::onVPNLogAvailable@518] No MTU received. Calculated 1422 for ESP tunnel

2024-04-17 11:38:06.868 INFO [33540] [GPClient::onVPNLogAvailable@518] POST https://xxx.yyy.com/ssl-vpn/hipreportcheck.esp

2024-04-17 11:38:06.904 INFO [33540] [GPClient::onVPNLogAvailable@518] Got HTTP response: HTTP/1.1 200 OK
Date: Wed, 17 Apr 2024 09:38:06 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 127
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (127)
Gateway says HIP report submission is needed.

2024-04-17 11:38:06.904 INFO [33540] [GPClient::onVPNLogAvailable@518] Parameters for incoming ESP: SPI 0xc854654d
ESP encryption type AES-128-CBC (RFC3602) key 0x635534534cca91c8ec7e1a860d0d8
ESP authentication type HMAC-SHA-1-96 (RFC2404) key 0x12cf8c9a45345cfb83cbffa9dc3d2ca34cc920
Parameters for outgoing ESP: SPI 0x585c382e
ESP encryption type AES-128-CBC (RFC3602) key 0x429a3b7fca3e83c6323aa482451e
ESP authentication type HMAC-SHA-1-96 (RFC2404) key 0x7b3b07a18366c80864345f3bf0723292bf2351
Send ESP probes
UDP SO_SNDBUF: 28440

2024-04-17 11:38:06.904 INFO [33540] [GPClient::onVPNLogAvailable@518] WARNING: Server asked us to submit HIP report with md5sum a63bfc67f0bf033d01e3232c3a8504c6.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.

2024-04-17 11:38:06.904 INFO [33540] [GPClient::onVPNLogAvailable@518] ICMPv4 probe packet (seq 1) for GlobalProtect ESP:

2024-04-17 11:38:06.904 INFO [33540] [GPClient::onVPNLogAvailable@518] > 0000: 45 00 00 2c 47 47 40 00 40 01 13 08 0a 6e d6 14 |E..,GG@[email protected]..|

0010: 00 00 00 00 08 00 0b 08 47 47 00 01 6d 6f 6e 69 |........GG..moni|

2024-04-17 11:38:06.904 INFO [33540] [GPClient::onVPNLogAvailable@518] > 0020: 74 6f 72 00 00 70 61 6e 20 68 61 20 |tor..pan ha |

2024-04-17 11:38:06.904 INFO [33540] [GPClient::onVPNLogAvailable@518] ICMPv4 probe packet (seq 2) for GlobalProtect ESP:

0000: 45 00 00 2c 47 47 40 00 40 01 13 08 0a 6e d6 14 |E..,GG@[email protected]..|

2024-04-17 11:38:06.904 INFO [33540] [GPClient::onVPNLogAvailable@518] > 0010: 00 00 00 00 08 00 0b 07 47 47 00 02 6d 6f 6e 69 |........GG..moni|

0020: 74 6f 72 00 00 70 61 6e 20 68 61 20 |tor..pan ha |

2024-04-17 11:38:06.904 INFO [33540] [GPClient::onVPNLogAvailable@518] ICMPv4 probe packet (seq 3) for GlobalProtect ESP:

2024-04-17 11:38:06.904 INFO [33540] [GPClient::onVPNLogAvailable@518] > 0000: 45 00 00 2c 47 47 40 00 40 01 13 08 0a 6e d6 14 |E..,GG@[email protected]..|

0010: 00 00 00 00 08 00 0b 06 47 47 00 03 6d 6f 6e 69 |........GG..moni|
0020: 74 6f 72 00 00 70 61 6e 20 68 61 20 |tor..pan ha |

2024-04-17 11:38:06.926 INFO [33540] [GPClient::onVPNLogAvailable@518] ESP session established with server
ESP tunnel connected; exiting HTTPS mainloop.

2024-04-17 11:38:06.926 INFO [33540] [GPClient::onVPNLogAvailable@518] Configured as 10.12.214.20, with SSL disconnected and ESP established
Session authentication will expire at Fri May 17 11:38:06 2024
`

@yuezk
Copy link
Owner

yuezk commented Apr 17, 2024

Thanks for the log.

There is an entry in the old log

Perform the gateway prelogin at https://xxx.yyy.com/ssl-vpn/prelogin.esp?tmp=tmp&kerb
  1. Can you help confirm whether the original hostname of xxx.yyy.com is the address you input in the portal input field or the 2.x client?
  2. Can you paste the response of https://xxx.yyy.com/ssl-vpn/prelogin.esp?

Thanks.

@rednag
Copy link
Author

rednag commented Apr 17, 2024

I'm using the direct hostname of a gateway instead of using the portal address.

Response of curl?

@yuezk
Copy link
Owner

yuezk commented Apr 17, 2024

I'm using the direct hostname of a gateway instead of using the portal address.

  • Is this hostname one of the gateway addresses logged in the 2.x log entry: 
     Gateway login failed: Network error: error sending request for url (https://yyy.xxx.com/ssl-vpn/login.esp): error trying to connect: dns error: failed to lookup address information: Name or service not known
  • You can visit the https://xxx.yyy.com/ssl-vpn/prelogin.esp in the browser and paste the response here.

@rednag
Copy link
Author

rednag commented Apr 17, 2024
edited

  • Yes

<status>Success</status>
<ccusername/>
<autosubmit/>
<msg/>
<newmsg/>
<license>yes</license>
<authentication-message/>
<username-label/>
<password-label/>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser>
<connected-ip>123.123.123.123</connected-ip>
<krb-norm-username/>
<krb-auth-status>0</krb-auth-status>
<cas-auth/>
<saml-auth-status>0</saml-auth-status>
<saml-auth-method/>
<saml-request-timeout/>
<saml-request-id/>
<saml-request/>
<auth-api>no</auth-api>
<region/>
</prelogin-response>

@yuezk
Copy link
Owner

yuezk commented Apr 17, 2024

Can you try the 2.x client, input the gateway address to the text field, and change it to gateway

Click the icon:

image

Change it to gateway:
image

Then connect, and send me the logs.

@rednag
Copy link
Author

rednag commented Apr 17, 2024
edited by yuezk

Ah ok - so with the gateway address it works, but default the portal address is set.

  1. Connected when set Gateway server, but used default (the portal address)
  2. Connected when set Portal server and used default
  3. Connected when set Gateways server and used Gateway address
[2024-04-17T12:14:21Z INFO  gpservice::cli] gpservice started: 2.1.4 (2024-04-10)
[2024-04-17T12:14:21Z INFO  gpservice::ws_server] WS server listening on port: 34099
[2024-04-17T12:14:21Z INFO  gpapi::process::gui_launcher] Check version failed: No such file or directory (os error 2)
[2024-04-17T12:14:21Z INFO  gpapi::process::gui_helper_launcher] Launching gpgui-helper
[2024-04-17T12:14:21Z INFO  gpgui_helper::cli] gpgui-helper started: 2.1.4 (2024-04-10)
libEGL warning: DRI3: Screen seems not DRI3 capable
libEGL warning: failed to open /dev/dri/card0: Permission denied

libEGL warning: DRI2: could not open /dev/dri/card0 (Permission denied)

** (gpgui-helper:38099): WARNING **: 14:14:22.968: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
[2024-04-17T12:14:22Z INFO  gpgui_helper::updater] Update GUI, version: 2.1.4
[2024-04-17T12:14:22Z INFO  gpgui_helper::updater] Downloading file: https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1.4/gpgui_x86_64.bin.tar.xz
[2024-04-17T12:14:24Z INFO  gpgui_helper::downloader] Content length: 4211244
[2024-04-17T12:14:26Z INFO  gpgui_helper::downloader] Downloaded to: "/tmp/.tmpZTn6dE"
[2024-04-17T12:14:26Z INFO  gpgui_helper::updater] Checksum success
[2024-04-17T12:14:26Z INFO  gpservice::handlers] Update GUI: UpdateGuiRequest { path: "/tmp/.tmpZTn6dE", checksum: "d1b46ea88aff4cc9365206620b0329e1241e680c40c7b5d80b19f7d4e632128b" }
[2024-04-17T12:14:26Z INFO  gpservice::handlers] Verifying checksum
[2024-04-17T12:14:26Z INFO  gpservice::handlers] Installing GUI
[2024-04-17T12:14:26Z INFO  gpservice::handlers] Unpacking GUI archive
[2024-04-17T12:14:26Z INFO  gpgui_helper::updater] Install success
[2024-04-17T12:14:26Z INFO  gpgui_helper::app] Update done
[2024-04-17T12:14:26Z INFO  gpapi::process::gui_helper_launcher] gpgui-helper exited with: exit status: 0
[2024-04-17T12:14:26Z INFO  gpapi::process::gui_launcher] Version check passed: 2.1.4
[2024-04-17T12:14:26Z INFO  gpapi::process::gui_launcher] Launching gpgui
[2024-04-17T12:14:26Z INFO  gpgui::cli] gpgui started: 2.1.4 (2024-04-10)
[2024-04-17T12:14:26Z INFO  gpgui::app] Setting the custom openssl conf path
[2024-04-17T12:14:26Z INFO  gpgui::config::private_data] Found config key in keyring
[2024-04-17T12:14:26Z INFO  gpgui::app::app_initializer] App initialized
[2024-04-17T12:14:26Z INFO  gpgui::ws_connector] Connecting to WS server

** (gpgui:38216): WARNING **: 14:14:26.294: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
[2024-04-17T12:14:26Z INFO  gpgui::ws_connector] Received ping
[2024-04-17T12:14:26Z INFO  gpgui::ws_connector] Connected to WS server
[2024-04-17T12:14:26Z INFO  gpservice::handlers] New client connected
[2024-04-17T12:14:26Z INFO  gpservice::ws_server] Sending current VPN state to new client
libEGL warning: DRI3: Screen seems not DRI3 capable
libEGL warning: failed to open /dev/dri/card0: Permission denied

libEGL warning: DRI2: could not open /dev/dri/card0 (Permission denied)
[2024-04-17T12:14:26Z INFO  gpgui::handlers::subscription] Sending the init event to client: main
[2024-04-17T12:14:26Z INFO  gpgui::handlers::subscription] Sent the init event to client: main
[2024-04-17T12:14:27Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect
[2024-04-17T12:14:30Z INFO  gpgui::portal_connector] Connecting to the portal: p**********m...
[2024-04-17T12:14:30Z INFO  gpgui::portal_connector] Connecting the portal as a gateway...
[2024-04-17T12:14:30Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: p**********m...
[2024-04-17T12:14:30Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:14:30Z INFO  gpapi::portal::prelogin] Prelogin with params: {"ipv6-support": "yes", "clientVer": "4100", "os-version": "Linux Ubuntu 22.04.4 LTS", "tmp": "tmp", "default-browser": "1", "cas-support": "yes", "clientos": "Linux"}
[2024-04-17T12:14:30Z WARN  gpgui::portal_connector] Failed to connect to the portal: Portal prelogin error: Prelogin failed: GlobalProtect gateway does not exist

** (gpgui:38216): WARNING **: 14:15:16.749: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
[2024-04-17T12:15:17Z INFO  gpgui::handlers::subscription] Sending the init event to client: main
[2024-04-17T12:15:17Z INFO  gpgui::handlers::subscription] Sent the init event to client: main
[2024-04-17T12:15:17Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect
[2024-04-17T12:15:32Z INFO  gpgui::portal_connector] Connecting to the portal: p**********m...
[2024-04-17T12:15:32Z INFO  gpgui::portal_connector] Trying to connect the gateway directly...
[2024-04-17T12:15:32Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: g**********m...
[2024-04-17T12:15:32Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:15:32Z INFO  gpapi::portal::prelogin] Prelogin with params: {"os-version": "Linux Ubuntu 22.04.4 LTS", "cas-support": "yes", "ipv6-support": "yes", "clientos": "Linux", "default-browser": "1", "clientVer": "4100", "tmp": "tmp"}
[2024-04-17T12:15:32Z INFO  gpgui::portal_connector] Authenticating gateway...
[2024-04-17T12:15:32Z INFO  gpgui::portal_connector] Launching SAML authentication...
[2024-04-17T12:15:32Z INFO  gpauth::cli] gpauth started: 2.1.4 (2024-04-10)
[2024-04-17T12:15:32Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)

** (gpauth:38494): WARNING **: 14:15:32.821: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
libEGL warning: DRI3: Screen seems not DRI3 capable
libEGL warning: failed to open /dev/dri/card0: Permission denied

libEGL warning: DRI2: could not open /dev/dri/card0 (Permission denied)
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/42cb905-2091-12f4-90b9-e768cf22851a/saml2?SAMLRequest=n**********%3D&RelayState=E**********%3D
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] Raise window cancelled
[2024-04-17T12:15:34Z WARN  gpauth::auth_window] Failed to load uri: https://g**********m/SAML20/SP/ACS with error: UNKNOWN_CA, cert: TlsCertificate
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] Loaded uri: https://g**********m/SAML20/SP/ACS
[2024-04-17T12:15:34Z INFO  gpauth::auth_window] No response found in main resource
[2024-04-17T12:15:34Z INFO  gpgui::portal_connector] Failed to connect the gateway directly: TLS error: certificate verify failed
[2024-04-17T12:15:34Z INFO  gpgui::portal_connector] Trying to connect portal with cached credential...
[2024-04-17T12:15:34Z INFO  gpgui::portal_connector] Fetching the portal config...
[2024-04-17T12:15:34Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:15:35Z WARN  gpapi::portal::config] Portal config error: reason=auth-failed-invalid-cookie, status=512 <unknown status code>, response=<empty>
[2024-04-17T12:15:35Z INFO  gpgui::portal_connector] Failed to connect portal with cached credential: Cached credential is stale, please try again
[2024-04-17T12:15:35Z INFO  gpgui::portal_connector] Trying to connect the portal with prelogin...
[2024-04-17T12:15:35Z INFO  gpgui::portal_connector] Performing portal prelogin...
[2024-04-17T12:15:35Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:15:35Z INFO  gpapi::portal::prelogin] Prelogin with params: {"default-browser": "1", "clientos": "Linux", "cas-support": "yes", "ipv6-support": "yes", "clientVer": "4100", "tmp": "tmp", "os-version": "Linux Ubuntu 22.04.4 LTS"}
[2024-04-17T12:15:35Z INFO  gpgui::portal_connector] Authenticating portal...
[2024-04-17T12:15:35Z INFO  gpgui::portal_connector] Launching SAML authentication...
[2024-04-17T12:15:35Z INFO  gpauth::cli] gpauth started: 2.1.4 (2024-04-10)
[2024-04-17T12:15:35Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)

** (gpauth:38574): WARNING **: 14:15:35.339: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
libEGL warning: DRI3: Screen seems not DRI3 capable
libEGL warning: failed to open /dev/dri/card0: Permission denied

libEGL warning: DRI2: could not open /dev/dri/card0 (Permission denied)
[2024-04-17T12:15:35Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-04-17T12:15:35Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-17T12:15:35Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/42cb905-2091-12f4-90b9-e768cf22851a/saml2?SAMLRequest=l**********%3D&RelayState=Y**********%3D
[2024-04-17T12:15:35Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T12:15:35Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-17T12:15:35Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-17T12:15:35Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-17T12:15:35Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-17T12:15:35Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-04-17T12:15:35Z INFO  gpauth::auth_window] Raise window cancelled
[2024-04-17T12:15:36Z INFO  gpauth::auth_window] Loaded uri: https://p**********m/SAML20/SP/ACS
[2024-04-17T12:15:36Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T12:15:36Z INFO  gpauth::auth_window] Got auth data from headers
[2024-04-17T12:15:36Z INFO  gpgui::portal_connector] Fetching the portal config...
[2024-04-17T12:15:36Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:15:36Z INFO  gpgui::portal_connector] Retrieved 2 gateway(s) from the portal, updating...
[2024-04-17T12:15:36Z INFO  gpgui::portal_connector] Performing gateway login, gateway: g**********m...
[2024-04-17T12:15:36Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:15:36Z WARN  gpapi::gateway::login] Gateway login error: reason=<none>, status=512 <unknown status code>, response=
    var respStatus = "Error";
    var respMsg = "Authentication failure: Invalid username or password";
    thisForm.inputStr.value = "";
    
    
[2024-04-17T12:15:36Z INFO  gpgui::portal_connector] Gateway login failed: Gateway login error, reason: <none>
[2024-04-17T12:15:36Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: g**********m...
[2024-04-17T12:15:36Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:15:36Z INFO  gpapi::portal::prelogin] Prelogin with params: {"ipv6-support": "yes", "clientVer": "4100", "clientos": "Linux", "os-version": "Linux Ubuntu 22.04.4 LTS", "tmp": "tmp", "default-browser": "1", "cas-support": "yes"}
[2024-04-17T12:15:36Z INFO  gpgui::portal_connector] Authenticating gateway...
[2024-04-17T12:15:36Z INFO  gpgui::portal_connector] Launching SAML authentication...
[2024-04-17T12:15:36Z INFO  gpauth::cli] gpauth started: 2.1.4 (2024-04-10)
[2024-04-17T12:15:36Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)

** (gpauth:38659): WARNING **: 14:15:36.778: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
libEGL warning: DRI3: Screen seems not DRI3 capable
libEGL warning: failed to open /dev/dri/card0: Permission denied

libEGL warning: DRI2: could not open /dev/dri/card0 (Permission denied)
[2024-04-17T12:15:36Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-04-17T12:15:36Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-17T12:15:37Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/42cb905-2091-12f4-90b9-e768cf22851a/saml2?SAMLRequest=n**********C&RelayState=G**********%3D
[2024-04-17T12:15:37Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T12:15:37Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-17T12:15:37Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-17T12:15:37Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-17T12:15:37Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-17T12:15:37Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-04-17T12:15:37Z INFO  gpauth::auth_window] Raise window cancelled
[2024-04-17T12:15:37Z WARN  gpauth::auth_window] Failed to load uri: https://g**********m/SAML20/SP/ACS with error: UNKNOWN_CA, cert: TlsCertificate
[2024-04-17T12:15:37Z INFO  gpauth::auth_window] Loaded uri: https://g**********m/SAML20/SP/ACS
[2024-04-17T12:15:37Z INFO  gpauth::auth_window] No response found in main resource
[2024-04-17T12:15:37Z INFO  gpgui::portal_connector] Failed to connect the portal with prelogin: TLS error: certificate verify failed
[2024-04-17T12:15:37Z WARN  gpgui::portal_connector] Failed to connect to the portal: TLS error: certificate verify failed

** (gpgui:38216): WARNING **: 14:15:39.975: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
[2024-04-17T12:15:40Z INFO  gpgui::handlers::subscription] Sending the init event to client: settings
[2024-04-17T12:15:40Z INFO  gpgui::handlers::subscription] Sent the init event to client: settings
[2024-04-17T12:15:41Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect Settings

** (gpgui:38216): WARNING **: 14:16:16.544: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
[2024-04-17T12:16:17Z INFO  gpgui::handlers::subscription] Sending the init event to client: main
[2024-04-17T12:16:17Z INFO  gpgui::handlers::subscription] Sent the init event to client: main
[2024-04-17T12:16:17Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect
[2024-04-17T12:16:22Z INFO  gpgui::portal_connector] Connecting to the portal: g**********m...
[2024-04-17T12:16:22Z INFO  gpgui::portal_connector] Connecting the portal as a gateway...
[2024-04-17T12:16:22Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: g**********m...
[2024-04-17T12:16:22Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:16:22Z INFO  gpapi::portal::prelogin] Prelogin with params: {"os-version": "Linux Ubuntu 22.04.4 LTS", "cas-support": "yes", "ipv6-support": "yes", "default-browser": "1", "clientos": "Linux", "tmp": "tmp", "clientVer": "4100"}
[2024-04-17T12:16:22Z INFO  gpgui::portal_connector] Authenticating gateway...
[2024-04-17T12:16:22Z INFO  gpgui::portal_connector] Launching SAML authentication...
[2024-04-17T12:16:22Z INFO  gpauth::cli] gpauth started: 2.1.4 (2024-04-10)
[2024-04-17T12:16:22Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)

** (gpauth:38965): WARNING **: 14:16:22.275: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
libEGL warning: DRI3: Screen seems not DRI3 capable
libEGL warning: failed to open /dev/dri/card0: Permission denied

libEGL warning: DRI2: could not open /dev/dri/card0 (Permission denied)
[2024-04-17T12:16:23Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-04-17T12:16:23Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-17T12:16:24Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/42cb905-2091-12f4-90b9-e768cf22851a/saml2?SAMLRequest=r**********%3D&RelayState=o**********%3D
[2024-04-17T12:16:24Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T12:16:24Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-17T12:16:24Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-17T12:16:24Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-17T12:16:24Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-17T12:16:24Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-04-17T12:16:24Z INFO  gpauth::auth_window] Raise window cancelled
[2024-04-17T12:16:25Z INFO  gpauth::auth_window] Loaded uri: https://g**********m/SAML20/SP/ACS
[2024-04-17T12:16:25Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T12:16:25Z INFO  gpauth::auth_window] Got auth data from headers
Unhandled network process message 'NetworkStorageManager_DisconnectFromStorageArea'
Unhandled network process message 'NetworkStorageManager_DisconnectFromStorageArea'
[2024-04-17T12:16:25Z INFO  gpgui::portal_connector] Performing gateway login, gateway: g**********m...
[2024-04-17T12:16:25Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:16:25Z INFO  gpgui::portal_connector] Gateway login succeeded, gateway: g**********m
[2024-04-17T12:16:25Z INFO  gpgui::portal_connector] Connecting to the gateway...
[2024-04-17T12:16:25Z INFO  openconnect::ffi] openconnect version: v8.20-1
[2024-04-17T12:16:25Z INFO  openconnect::ffi] User agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:16:25Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-04-17T12:16:25Z INFO  openconnect::ffi] OS: linux
[2024-04-17T12:16:25Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-04-17T12:16:25Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-04-17T12:16:25Z INFO  openconnect::ffi] MTU: 0
[2024-04-17T12:16:25Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/getconfig.esp
[2024-04-17T12:16:25Z INFO  openconnect::ffi] Connected to [**********]:443
[2024-04-17T12:16:25Z INFO  openconnect::ffi] SSL negotiation with [**********]
[2024-04-17T12:16:25Z INFO  openconnect::ffi] Connected to HTTPS on [**********] with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-17T12:16:25Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 30 minutes.
[2024-04-17T12:16:25Z INFO  openconnect::ffi] Idle timeout is 30 minutes.
[2024-04-17T12:16:25Z WARN  openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-04-17T12:16:25Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/hipreportcheck.esp
[2024-04-17T12:16:25Z WARN  openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum a63bfc67f0bf033d01e3835c3a8504c6.
    VPN connectivity may be disabled or limited without HIP report submission.
    You need to provide a --csd-wrapper argument with the HIP report submission script.
[2024-04-17T12:16:25Z INFO  openconnect::ffi] ESP session established with server
[2024-04-17T12:16:25Z INFO  openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
[2024-04-17T12:16:27Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 14
[2024-04-17T12:16:27Z INFO  gpgui::portal_connector] Connected to the gateway: g**********m
[2024-04-17T12:16:30Z INFO  gpgui::portal_connector] Disconnecting the gateway...
[2024-04-17T12:16:30Z INFO  gpservice::vpn_task] Disconnecting VPN...
[2024-04-17T12:16:30Z INFO  gpservice::vpn_task] VPN is connected, start disconnecting...
[2024-04-17T12:16:30Z INFO  openconnect::ffi] Stopping VPN connection: 14
[2024-04-17T12:16:30Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/logout.esp
[2024-04-17T12:16:30Z INFO  openconnect::ffi] SSL negotiation with [**********]
[2024-04-17T12:16:30Z INFO  openconnect::ffi] Connected to HTTPS on [**********] with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-17T12:16:30Z INFO  openconnect::ffi] Logout successful.
RTNETLINK answers: No such process
[2024-04-17T12:16:30Z INFO  openconnect::ffi] openconnect_mainloop returned -4, exiting
[2024-04-17T12:16:30Z INFO  gpservice::vpn_task] VPN disconnected
[2024-04-17T12:17:25Z INFO  gpgui::portal_connector] Connecting to the portal: p**********a...
[2024-04-17T12:17:25Z INFO  gpgui::portal_connector] Trying to connect the gateway directly...
[2024-04-17T12:17:25Z INFO  gpgui::portal_connector] Failed to connect the gateway directly: No portal connection found
[2024-04-17T12:17:25Z INFO  gpgui::portal_connector] Trying to connect portal with cached credential...
[2024-04-17T12:17:25Z INFO  gpgui::portal_connector] Failed to connect portal with cached credential: No cached credential found for the portal
[2024-04-17T12:17:25Z INFO  gpgui::portal_connector] Trying to connect the portal with prelogin...
[2024-04-17T12:17:25Z INFO  gpgui::portal_connector] Performing portal prelogin...
[2024-04-17T12:17:25Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:17:25Z INFO  gpapi::portal::prelogin] Prelogin with params: {"clientVer": "4100", "ipv6-support": "yes", "tmp": "tmp", "default-browser": "1", "clientos": "Linux", "cas-support": "yes", "os-version": "Linux Ubuntu 22.04.4 LTS"}
[2024-04-17T12:17:25Z INFO  gpgui::portal_connector] Failed to connect the portal with prelogin: Network error: error sending request for url (https://server/global-protect/prelogin.esp): error trying to connect: dns error: failed to lookup address information: Temporary failure in name resolution
[2024-04-17T12:17:25Z INFO  gpgui::portal_connector] Trying to connect the portal as a gateway...
[2024-04-17T12:17:25Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: p**********a...
[2024-04-17T12:17:25Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:17:25Z INFO  gpapi::portal::prelogin] Prelogin with params: {"cas-support": "yes", "clientos": "Linux", "default-browser": "1", "tmp": "tmp", "ipv6-support": "yes", "os-version": "Linux Ubuntu 22.04.4 LTS", "clientVer": "4100"}
[2024-04-17T12:17:25Z WARN  gpgui::portal_connector] Failed to connect to the portal: Network error: error sending request for url (https://server/ssl-vpn/prelogin.esp): error trying to connect: dns error: failed to lookup address information: Temporary failure in name resolution
[2024-04-17T12:17:28Z INFO  gpgui::portal_connector] Connecting to the portal: p**********m...
[2024-04-17T12:17:28Z INFO  gpgui::portal_connector] Trying to connect the gateway directly...
[2024-04-17T12:17:28Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: g**********m...
[2024-04-17T12:17:28Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:17:28Z INFO  gpapi::portal::prelogin] Prelogin with params: {"clientVer": "4100", "clientos": "Linux", "os-version": "Linux Ubuntu 22.04.4 LTS", "tmp": "tmp", "default-browser": "1", "cas-support": "yes", "ipv6-support": "yes"}
[2024-04-17T12:17:28Z INFO  gpgui::portal_connector] Authenticating gateway...
[2024-04-17T12:17:28Z INFO  gpgui::portal_connector] Launching SAML authentication...
[2024-04-17T12:17:28Z INFO  gpauth::cli] gpauth started: 2.1.4 (2024-04-10)
[2024-04-17T12:17:28Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)

** (gpauth:39212): WARNING **: 14:17:28.701: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
libEGL warning: DRI3: Screen seems not DRI3 capable
libEGL warning: failed to open /dev/dri/card0: Permission denied

libEGL warning: DRI2: could not open /dev/dri/card0 (Permission denied)
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/42cb905-2091-12f4-90b9-e768cf22851a/saml2?SAMLRequest=n**********%3D&RelayState=0**********%3D
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] Raise window cancelled
[2024-04-17T12:17:30Z WARN  gpauth::auth_window] Failed to load uri: https://g**********m/SAML20/SP/ACS with error: UNKNOWN_CA, cert: TlsCertificate
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] Loaded uri: https://g**********m/SAML20/SP/ACS
[2024-04-17T12:17:30Z INFO  gpauth::auth_window] No response found in main resource
[2024-04-17T12:17:30Z INFO  gpgui::portal_connector] Failed to connect the gateway directly: TLS error: certificate verify failed
[2024-04-17T12:17:30Z INFO  gpgui::portal_connector] Trying to connect portal with cached credential...
[2024-04-17T12:17:30Z INFO  gpgui::portal_connector] Fetching the portal config...
[2024-04-17T12:17:30Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:17:31Z INFO  gpgui::portal_connector] Retrieved 2 gateway(s) from the portal, updating...
[2024-04-17T12:17:31Z INFO  gpgui::portal_connector] Performing gateway login, gateway: g**********m...
[2024-04-17T12:17:31Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:17:31Z WARN  gpapi::gateway::login] Gateway login error: reason=<none>, status=512 <unknown status code>, response=
    var respStatus = "Error";
    var respMsg = "Authentication failure: Invalid username or password";
    thisForm.inputStr.value = "";
    
    
[2024-04-17T12:17:31Z INFO  gpgui::portal_connector] Failed to connect portal with cached credential: Gateway login error, reason: <none>
[2024-04-17T12:17:31Z INFO  gpgui::portal_connector] Trying to connect the portal with prelogin...
[2024-04-17T12:17:31Z INFO  gpgui::portal_connector] Performing portal prelogin...
[2024-04-17T12:17:31Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:17:31Z INFO  gpapi::portal::prelogin] Prelogin with params: {"ipv6-support": "yes", "tmp": "tmp", "default-browser": "1", "cas-support": "yes", "os-version": "Linux Ubuntu 22.04.4 LTS", "clientVer": "4100", "clientos": "Linux"}
[2024-04-17T12:17:31Z INFO  gpgui::portal_connector] Authenticating portal...
[2024-04-17T12:17:31Z INFO  gpgui::portal_connector] Launching SAML authentication...
[2024-04-17T12:17:31Z INFO  gpauth::cli] gpauth started: 2.1.4 (2024-04-10)
[2024-04-17T12:17:31Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)

** (gpauth:39292): WARNING **: 14:17:31.540: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
libEGL warning: DRI3: Screen seems not DRI3 capable
libEGL warning: failed to open /dev/dri/card0: Permission denied

libEGL warning: DRI2: could not open /dev/dri/card0 (Permission denied)
[2024-04-17T12:17:31Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-04-17T12:17:31Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-17T12:17:31Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/42cb905-2091-12f4-321h-e768cf22851a/saml2?SAMLRequest=l**********%3D&RelayState=o**********%3D
[2024-04-17T12:17:31Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T12:17:31Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-17T12:17:31Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-17T12:17:31Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-17T12:17:31Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-17T12:17:31Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-04-17T12:17:32Z INFO  gpauth::auth_window] Loaded uri: https://p**********m/SAML20/SP/ACS
[2024-04-17T12:17:32Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T12:17:32Z INFO  gpauth::auth_window] Got auth data from headers
[2024-04-17T12:17:32Z INFO  gpgui::portal_connector] Fetching the portal config...
[2024-04-17T12:17:32Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:17:32Z INFO  gpgui::portal_connector] Retrieved 2 gateway(s) from the portal, updating...
[2024-04-17T12:17:32Z INFO  gpgui::portal_connector] Performing gateway login, gateway: g**********m...
[2024-04-17T12:17:32Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:17:32Z WARN  gpapi::gateway::login] Gateway login error: reason=<none>, status=512 <unknown status code>, response=
    var respStatus = "Error";
    var respMsg = "Authentication failure: Invalid username or password";
    thisForm.inputStr.value = "";
    
    
[2024-04-17T12:17:32Z INFO  gpgui::portal_connector] Gateway login failed: Gateway login error, reason: <none>
[2024-04-17T12:17:32Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: g**********m...
[2024-04-17T12:17:32Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T12:17:32Z INFO  gpapi::portal::prelogin] Prelogin with params: {"default-browser": "1", "tmp": "tmp", "clientos": "Linux", "clientVer": "4100", "ipv6-support": "yes", "os-version": "Linux Ubuntu 22.04.4 LTS", "cas-support": "yes"}
[2024-04-17T12:17:32Z INFO  gpgui::portal_connector] Authenticating gateway...
[2024-04-17T12:17:32Z INFO  gpgui::portal_connector] Launching SAML authentication...
[2024-04-17T12:17:32Z INFO  gpauth::cli] gpauth started: 2.1.4 (2024-04-10)
[2024-04-17T12:17:32Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)

** (gpauth:39377): WARNING **: 14:17:32.813: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
libEGL warning: DRI3: Screen seems not DRI3 capable
libEGL warning: failed to open /dev/dri/card0: Permission denied

libEGL warning: DRI2: could not open /dev/dri/card0 (Permission denied)
[2024-04-17T12:17:32Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-04-17T12:17:32Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-17T12:17:33Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/42cb905-2091-12f4-321h-e768cf22851a/saml2?SAMLRequest=n**********P&RelayState=2**********%3D
[2024-04-17T12:17:33Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T12:17:33Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-17T12:17:33Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-17T12:17:33Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-17T12:17:33Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-17T12:17:33Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-04-17T12:17:33Z INFO  gpauth::auth_window] Raise window cancelled
[2024-04-17T12:17:33Z WARN  gpauth::auth_window] Failed to load uri: https://g**********m/SAML20/SP/ACS with error: UNKNOWN_CA, cert: TlsCertificate
[2024-04-17T12:17:33Z INFO  gpauth::auth_window] Loaded uri: https://g**********m/SAML20/SP/ACS
[2024-04-17T12:17:33Z INFO  gpauth::auth_window] No response found in main resource
[2024-04-17T12:17:33Z INFO  gpgui::portal_connector] Failed to connect the portal with prelogin: TLS error: certificate verify failed
[2024-04-17T12:17:33Z WARN  gpgui::portal_connector] Failed to connect to the portal: TLS error: certificate verify fail

@yuezk
Copy link
Owner

yuezk commented Apr 17, 2024

  1. Connected when set Gateway server, but used default (the portal address)
  2. Connected when set Portal server and used default
  3. Connected when set Gateways server and used Gateway address
  • I didn't quite understand this. Can the client connect in all the scenarios?
  • The logs confused me, looks like it is still not working under some scenarios.

There is a certificate error when authenticating, you may need to check Ignore TLS Errors on the settings page.
image

@rednag
Copy link
Author

rednag commented Apr 17, 2024

The log when "Ignore TLS Errors" is set

[2024-04-17T13:35:24Z INFO  gpgui::portal_connector] Connecting to the portal: p**********m...
[2024-04-17T13:35:24Z INFO  gpgui::portal_connector] Trying to connect the gateway directly...
[2024-04-17T13:35:24Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: g**********m...
[2024-04-17T13:35:24Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T13:35:24Z INFO  gpapi::portal::prelogin] Prelogin with params: {"os-version": "Linux Ubuntu 22.04.4 LTS", "default-browser": "1", "ipv6-support": "yes", "clientos": "Linux", "clientVer": "4100", "tmp": "tmp", "cas-support": "yes"}
[2024-04-17T13:35:24Z INFO  gpgui::portal_connector] Authenticating gateway...
[2024-04-17T13:35:24Z INFO  gpgui::portal_connector] Launching SAML authentication...
[2024-04-17T13:35:24Z INFO  gpauth::cli] gpauth started: 2.1.4 (2024-04-10)
[2024-04-17T13:35:24Z INFO  gpauth::cli] TLS errors will be ignored
[2024-04-17T13:35:24Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)

** (gpauth:40938): WARNING **: 15:35:24.516: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
libEGL warning: DRI3: Screen seems not DRI3 capable
libEGL warning: failed to open /dev/dri/card0: Permission denied

libEGL warning: DRI2: could not open /dev/dri/card0 (Permission denied)
[2024-04-17T13:35:24Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-04-17T13:35:24Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-17T13:35:24Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/42cb905-2091-12f4-321h-e768cf22851a/saml2?SAMLRequest=n**********%3D&RelayState=w**********%3D
[2024-04-17T13:35:24Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T13:35:24Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-17T13:35:24Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-17T13:35:24Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-17T13:35:24Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-17T13:35:24Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-04-17T13:35:24Z INFO  gpauth::auth_window] Raise window cancelled
[2024-04-17T13:35:25Z INFO  gpauth::auth_window] Loaded uri: https://g**********m/SAML20/SP/ACS
[2024-04-17T13:35:25Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-17T13:35:25Z INFO  gpauth::auth_window] Got auth data from headers
Unhandled network process message 'NetworkStorageManager_DisconnectFromStorageArea'
Unhandled network process message 'NetworkStorageManager_DisconnectFromStorageArea'
[2024-04-17T13:35:25Z INFO  gpgui::portal_connector] Performing gateway login, gateway: g**********m...
[2024-04-17T13:35:25Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T13:35:25Z INFO  gpgui::portal_connector] Gateway login succeeded, gateway: g**********m
[2024-04-17T13:35:25Z INFO  gpgui::portal_connector] Connecting to the gateway...
[2024-04-17T13:35:25Z INFO  openconnect::ffi] openconnect version: v8.20-1
[2024-04-17T13:35:25Z INFO  openconnect::ffi] User agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-17T13:35:25Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-04-17T13:35:25Z INFO  openconnect::ffi] OS: linux
[2024-04-17T13:35:25Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-04-17T13:35:25Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-04-17T13:35:25Z INFO  openconnect::ffi] MTU: 0
[2024-04-17T13:35:25Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/getconfig.esp
[2024-04-17T13:35:25Z INFO  openconnect::ffi] Connected to [**********]:443
[2024-04-17T13:35:25Z INFO  openconnect::ffi] SSL negotiation with [**********]
[2024-04-17T13:35:25Z INFO  openconnect::ffi] Server certificate verify failed: signer not found
[2024-04-17T13:35:25Z INFO  openconnect::ffi] Validating peer cert: signer not found
[2024-04-17T13:35:25Z INFO  openconnect::ffi] Connected to HTTPS on [**********] with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-17T13:35:25Z WARN  openconnect::ffi] Matching client config not found
[2024-04-17T13:35:25Z WARN  openconnect::ffi] openconnect_make_cstp_connection failed
[2024-04-17T13:35:25Z WARN  gpgui::portal_connector] Failed to connect to the gateway: g**********m
  1. Not connected when set to Gateway server, but used default (the portal address)
  2. Not connected when set to Portal server and used default
  3. Connected when set to Gateway server and used Gateway address

@yuezk
Copy link
Owner

yuezk commented Apr 17, 2024

The TLS errors occur when authentication, Ignore TLS Errors should not impact the connect status. Feel free to uncheck it.

Set Gateways server and used Gateway address will instruct the 2.x client to perform the same workflow as the old one, So you can use this preference.

@rednag
Copy link
Author

rednag commented Apr 17, 2024

TLS errors occur and the connection is not established.

In the old client I've used the portal server and were able to choose the gateway from a list or the portal responds the nearest gateway server.

@yuezk
Copy link
Owner

yuezk commented Apr 17, 2024

Looks like you have two gateways and one portal. It is problematic when connecting as a portal server. The reason is not very clear, I found some error messages I have never seen.

[2024-04-17T13:35:25Z INFO  openconnect::ffi] Validating peer cert: signer not found
[2024-04-17T13:35:25Z INFO  openconnect::ffi] Connected to HTTPS on [**********] with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-17T13:35:25Z WARN  openconnect::ffi] Matching client config not found

Your gateway might need the client certificates to authenticate when using the portal server.

But anyway, do as follows:

  1. Disable Ignore TLS Errors
  2. Remove the portal server previously added.
  3. Set it to Gateway Server and input the gateway1.xxx.com, then connect
  4. Set it to Gateway Server and input the gateway2.xxx.com, then connect
  5. Then in the input dropdown list, you can select which gateway to connect based on your needs.

Hope this works for you.

@rednag
Copy link
Author

rednag commented Apr 17, 2024

Weird since it works with 1.4.8.

We are talking about 25 different Gateway server...

@yuezk
Copy link
Owner

yuezk commented Apr 17, 2024

We are talking about 25 different Gateway server...

You mean that you have 25 gateways? But I only find 2 gateway logs in the log file.

@rednag
Copy link
Author

rednag commented Apr 18, 2024

Yes - in the previous version all of those were shown in a drop down or list. Mainly I use two of them, but it depends on the location.

@rednag
Copy link
Author

rednag commented Apr 18, 2024
edited 

** (gpauth:45821): WARNING **: 07:48:28.987: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
[2024-04-18T05:48:30Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-04-18T05:48:30Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-18T05:48:31Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/442cb905-2091-12f4-90b9-e768cf22851a/saml2?SAMLRequest=l**********%3D&RelayState=C**********%3D
[2024-04-18T05:48:31Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-18T05:48:31Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-18T05:48:31Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-18T05:48:31Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-18T05:48:31Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-18T05:48:31Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-04-18T05:48:31Z INFO  gpauth::auth_window] Raise window cancelled
[2024-04-18T05:48:31Z INFO  gpauth::auth_window] Loaded uri: https://p**********m/SAML20/SP/ACS
[2024-04-18T05:48:31Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-18T05:48:31Z INFO  gpauth::auth_window] Got auth data from headers
Unhandled network process message 'NetworkStorageManager_DisconnectFromStorageArea'
Unhandled network process message 'NetworkStorageManager_DisconnectFromStorageArea'
[2024-04-18T05:48:31Z INFO  gpgui::portal_connector] Fetching the portal config...
[2024-04-18T05:48:31Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-18T05:48:31Z INFO  gpgui::portal_connector] Retrieved 2 gateway(s) from the portal, updating...
[2024-04-18T05:48:31Z INFO  gpgui::portal_connector] Performing gateway login, gateway: g**********m...
[2024-04-18T05:48:31Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-18T05:48:31Z INFO  gpgui::portal_connector] Gateway login failed: Network error: error sending request for url (https://yyy.xxx.com/ssl-vpn/login.esp): error trying to connect: dns error: failed to lookup address information: Name or service not known
[2024-04-18T05:48:31Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: g**********m...
[2024-04-18T05:48:31Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-18T05:48:31Z INFO  gpapi::portal::prelogin] Prelogin with params: {"tmp": "tmp", "clientos": "Linux", "os-version": "Linux Ubuntu 22.04.4 LTS", "default-browser": "1", "ipv6-support": "yes", "cas-support": "yes", "clientVer": "4100"}
[2024-04-18T05:48:31Z INFO  gpgui::portal_connector] Failed to connect the portal with prelogin: Network error: error sending request for url (https://yyy.xxx.com/ssl-vpn/prelogin.esp): error trying to connect: dns error: failed to lookup address information: Name or service not known
[2024-04-18T05:48:31Z INFO  gpgui::portal_connector] Trying to connect the portal as a gateway...
[2024-04-18T05:48:31Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: p**********m...
[2024-04-18T05:48:31Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-04-18T05:48:31Z INFO  gpapi::portal::prelogin] Prelogin with params: {"cas-support": "yes", "clientVer": "4100", "clientos": "Linux", "os-version": "Linux Ubuntu 22.04.4 LTS", "tmp": "tmp", "ipv6-support": "yes", "default-browser": "1"}
[2024-04-18T05:48:32Z WARN  gpgui::portal_connector] Failed to connect to the portal: Portal prelogin error: Prelogin failed: GlobalProtect gateway does not exist

Has it something to do with ipv6?! I just remember some issues I had with OpenVPN and IPv6.

@yuezk
Copy link
Owner

yuezk commented Apr 18, 2024
edited

@rednag The new client may have a flaw in parsing the gateways in the portal config. Can you help get the portal configuration with the following steps?

  1. Save the following script as portal_config.sh

    #!/usr/bin/env bash

set -e

# Get the auth token
json=$(gpauth --fix-openssl "$PORTAL")

cookie=$(echo "$json" | jq -r '.success.preloginCookie')
user=$(echo "$json" | jq -r '.success.username')

# Get the portal config
curl  -X POST \
  "https://$PORTAL/global-protect/getconfig.esp" \
  --header 'Accept: */*' \
  --header 'User-Agent: PAN GlobalProtect' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'prot=https:' \
  --data-urlencode 'jnlpReady=jnlpReady' \
  --data-urlencode 'ok=Login' \
  --data-urlencode 'direct=yes' \
  --data-urlencode 'ipv6-support=yes' \
  --data-urlencode 'inputStr=' \
  --data-urlencode 'clientVer=4100' \
  --data-urlencode 'cas-support=yes' \
  --data-urlencode "user=$user" \
  --data-urlencode "prelogin-cookie=$cookie"

  2. Run the following command: PORTAL=your.vpn.portal.com bash path/to/portal_config.sh

  3. Collect the output and send it to me

@rednag
Copy link
Author

rednag commented Apr 23, 2024

Sorry, my trail period ended and therefore I can not further test it.

@yuezk
Copy link
Owner

yuezk commented Apr 27, 2024

Hi @rednag understand it. But the CLI version has the parity features as the GUI version. The script in my last comment still makes sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yuezk @rednag