Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internal Gateway Detection not working, preventing connection #377

Open
nfacha opened this issue Jun 18, 2024 · 7 comments · Fixed by #384
Open

Internal Gateway Detection not working, preventing connection #377

nfacha opened this issue Jun 18, 2024 · 7 comments · Fixed by #384

Comments

@nfacha
Copy link

nfacha commented Jun 18, 2024

Describe the bug
When connecting to a GP server wich has a internal and external gateway, and we are on the outside (where the DNS for the internal zone won't resolve) the client tries to connect to the internal one (which will fail) instead of the external one

Expected behavior
When on the outside, connect to the external GW, when on the inside connect to the internal GW
This is, when the PTR record for the internal detection resolves it should connect to gp-internal.xxxx.pt, when it does not resolve it should connect to gp.xxxx.pt

Logs

[2024-06-18T08:53:02Z INFO  gpservice::cli] gpservice started: 2.3.1 (2024-05-22)
[2024-06-18T08:53:02Z INFO  gpservice::ws_server] WS server listening on port: 42001
[2024-06-18T08:53:02Z INFO  gpapi::process::gui_launcher] Version check passed: 2.3.1
[2024-06-18T08:53:02Z INFO  gpapi::process::gui_launcher] Launching gpgui
[2024-06-18T08:53:02Z INFO  gpgui::cli] gpgui started: 2.3.1 (2024-05-22)
[2024-06-18T08:53:02Z INFO  gpgui::app] Setting the custom openssl conf path
[2024-06-18T08:53:02Z INFO  gpgui::config::private_data] Loaded config key from keyring
[2024-06-18T08:53:02Z INFO  gpgui::app::app_initializer] App initialized
[2024-06-18T08:53:02Z INFO  gpgui::ws_connector] Connecting to WS server
[2024-06-18T08:53:02Z INFO  gpgui::portal_connector] Auto connecting to the portal...
[2024-06-18T08:53:02Z INFO  gpgui::ws_connector] Received ping
[2024-06-18T08:53:02Z INFO  gpgui::ws_connector] Connected to WS server
[2024-06-18T08:53:02Z INFO  gpservice::handlers] New client connected
[2024-06-18T08:53:02Z INFO  gpservice::ws_server] Sending current VPN state to new client
[2024-06-18T08:53:03Z INFO  gpgui::portal_connector] Connecting to the portal: g**********t...
[2024-06-18T08:53:03Z INFO  gpgui::portal_connector] Trying to connect the gateway directly...
[2024-06-18T08:53:03Z INFO  gpgui::portal_connector] Try login the gateway with prelogin...
[2024-06-18T08:53:03Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: g**********t...
[2024-06-18T08:53:03Z INFO  gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 20.04.6 LTS)
[2024-06-18T08:53:03Z INFO  gpgui::portal_connector] Failed to connect the gateway directly: Network error: error sending request for url (https://gp-internal.xxxxxxxx.pt/ssl-vpn/prelogin.esp): error trying to connect: dns error: failed to lookup address information: Name or service not known
[2024-06-18T08:53:03Z INFO  gpgui::portal_connector] Trying to connect portal with cached credential...
[2024-06-18T08:53:03Z INFO  gpgui::portal_connector] Fetching the portal config...
[2024-06-18T08:53:03Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 20.04.6 LTS)
[2024-06-18T08:53:04Z INFO  gpgui::portal_connector] Retrieved 1 gateway(s) from the portal, updating...
[2024-06-18T08:53:04Z INFO  gpgui::portal_connector] Performing gateway login, gateway: g**********t...
[2024-06-18T08:53:04Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 20.04.6 LTS)
[2024-06-18T08:53:04Z INFO  gpgui::portal_connector] Failed to connect portal with cached credential: Network error: error sending request for url (https://gp-internal.xxxxxxxx.pt/ssl-vpn/login.esp): error trying to connect: dns error: failed to lookup address information: Name or service not known
[2024-06-18T08:53:04Z INFO  gpgui::portal_connector] Trying to connect the portal with prelogin...
[2024-06-18T08:53:04Z INFO  gpgui::portal_connector] Performing portal prelogin...
[2024-06-18T08:53:04Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 20.04.6 LTS)
[2024-06-18T08:53:04Z INFO  gpgui::portal_connector] Authenticating portal...
[2024-06-18T08:53:04Z INFO  gpgui::portal_connector] Fetching the portal config...
[2024-06-18T08:53:04Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 20.04.6 LTS)
[2024-06-18T08:53:04Z WARN  gpapi::portal::config] GP response error: reason=auth-failed, status=512 <unknown status code>, body=<empty>
[2024-06-18T08:53:04Z INFO  gpgui::portal_connector] Failed to connect the portal with prelogin: Cached credential is stale, please try again
[2024-06-18T08:53:04Z WARN  gpgui::portal_connector] Failed to connect to the portal: Cached credential is stale, please try again
[2024-06-18T08:53:05Z INFO  gpgui::handlers::subscription] Sending the init event to client: main
[2024-06-18T08:53:05Z INFO  gpgui::handlers::subscription] Sent the init event to client: main
[2024-06-18T08:53:06Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect
[2024-06-18T08:53:09Z INFO  gpgui::handlers::subscription] Sending the init event to client: settings
[2024-06-18T08:53:09Z INFO  gpgui::handlers::subscription] Sent the init event to client: settings

Environment:

  • OS: Ubuntu 20.04.6 LTS
  • Desktop Environment: Gnome
  • Is remote SSH? Local Machine
@yuezk
Copy link
Owner

yuezk commented Jun 20, 2024

This could be an enhancement from my understanding. Currently, it will try to connect to the last used gateway when connecting.

@ruben-rodriguez
Copy link
Contributor

I don't want to steal this thread, but I'm also curious about the internal host detection mechanism integration, is it supported at all?

Whenever I perform the connection and auth to the portal, I only get internal gateways in the response (of course not working from outside). I see no trace of internal host detection being performed...

$: gpclient connect --default-browser <portal>

[2024-06-25T11:42:49Z INFO  gpclient::cli] gpclient started: 2.3.3 (2024-06-23)
[2024-06-25T11:42:49Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-06-25T11:42:50Z INFO  gpauth::cli] gpauth started: 2.3.3 (2024-06-23)
[2024-06-25T11:42:50Z INFO  gpauth::cli] Please continue the authentication process in the default browser
[2024-06-25T11:42:50Z INFO  gpclient::connect] Waiting for the browser authentication to complete...
[2024-06-25T11:42:50Z INFO  gpclient::connect] Listening authentication data on port 44961
[2024-06-25T11:42:51Z INFO  gpclient::connect] Received the browser authentication data from the socket
[2024-06-25T11:42:51Z INFO  gpapi::auth] Parsing SAML auth data...
[2024-06-25T11:42:51Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect
? Which gateway do you want to connect to?
> internal (internal.internal.com)
  internal2 (internal2.internal.com)

@swwolf
Copy link

swwolf commented Jun 26, 2024
edited
Loading

I am having the exact same issue, thus I can not connect to the VPN from home. I get a list of internal gateways which do not resolve from the outside. There should be a list of external gateways.
Looks like this for me:

sudo -E gpclient connect --default-browser portal.xxx.com
[2024-06-26T18:58:14Z INFO  gpclient::cli] gpclient started: 2.3.3 (2024-06-23)
[2024-06-26T18:58:14Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-06-26T18:58:14Z INFO  gpauth::cli] gpauth started: 2.3.3 (2024-06-23)
[2024-06-26T18:58:14Z INFO  gpauth::cli] Please continue the authentication process in the default browser
[2024-06-26T18:58:14Z INFO  gpclient::connect] Waiting for the browser authentication to complete...
[2024-06-26T18:58:14Z INFO  gpclient::connect] Listening authentication data on port 42305
[2024-06-26T18:58:22Z INFO  gpclient::connect] Received the browser authentication data from the socket
[2024-06-26T18:58:22Z INFO  gpapi::auth] Got CAS auth data from globalprotectcallback
[2024-06-26T18:58:22Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect
> Which gateway do you want to connect to? Internal XXX (xx01.int.xxx.com)
[2024-06-26T18:58:41Z INFO  gpclient::connect] Connecting to the selected gateway: Internal XXX (xx01.int.xxx.com)
[2024-06-26T18:58:41Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-06-26T18:58:42Z INFO  gpclient::connect] Gateway login failed: Network error: error sending request for url (https://xx01.int.xxx.com/ssl-vpn/login.esp): error trying to connect: dns error: failed to lookup address information: Name or service not known
[2024-06-26T18:58:42Z INFO  gpclient::connect] Performing the gateway authentication...
[2024-06-26T18:58:42Z INFO  gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect
[2024-06-26T18:58:42Z INFO  gpclient::connect] Failed to connect portal with prelogin: Network error: error sending request for url (https://xx01.int.xxx.com/ssl-vpn/prelogin.esp): error trying to connect: dns error: failed to lookup address information: Name or service not known
[2024-06-26T18:58:42Z INFO  gpclient::connect] Trying the gateway authentication workflow...
[2024-06-26T18:58:42Z INFO  gpclient::connect] Performing the gateway authentication...
[2024-06-26T18:58:42Z INFO  gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect
[2024-06-26T18:58:42Z WARN  gpapi::portal::prelogin] Parse response error, response: <?xml version="1.0" encoding="UTF-8" ?>
    <prelogin-response>
    <status>Error</status>
    <ccusername></ccusername>
    <autosubmit></autosubmit>
    <msg>GlobalProtect gateway does not exist</msg>
    <newmsg></newmsg>
    <license>yes</license>
    <authentication-message></authentication-message>
    <username-label></username-label>
    <password-label></password-label>
    <panos-version>1</panos-version>
    <saml-default-browser>yes</saml-default-browser><auth-api>no</auth-api><region></region>
    </prelogin-response>

Error: Prelogin error: GlobalProtect gateway does not exist

@agriffit79
Copy link

I'm hitting the same issue

Error: Prelogin error: GlobalProtect gateway does not exist

@yuezk
Copy link
Owner

yuezk commented Jul 1, 2024

@ruben-rodriguez

I don't want to steal this thread, but I'm also curious about the internal host detection mechanism integration, is it supported at all?

The client doesn't support internal host detection. It could be a behavior of the VPN portal server if you see the internal gateways when using the internal network. I suppose it will return the outer gateways if you use the outside network.

@swwolf @agriffit79 Do your company has multiple portal addresses? Does the official client for Windows or macOS work with the same portal address?

@ruben-rodriguez ruben-rodriguez mentioned this issue Jul 1, 2024
Merged
@swwolf
Copy link

swwolf commented Jul 2, 2024

My company only has one portal address and it works with the official client for Linux. That client shows a different list of Gateways (which are publicly resolvable).

@yuezk yuezk closed this as completed in #384 Jul 2, 2024
@yuezk
Copy link
Owner

yuezk commented Jul 2, 2024

Reopen this issue since the changes in #384 haven't been released yet.

@yuezk yuezk reopened this Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add internal host detection support ruben-rodriguez/GlobalProtect-openconnect
5 participants
@ruben-rodriguez @yuezk @nfacha @swwolf @agriffit79