Troubleshoot Clientless VPN

Because this feature involves dynamic re-writing of HTML applications, the HTML content for some applications may not re-write correctly and break the application. If issues occur, use the commands in the following table to help you identify the likely cause:
Table: Rewrite Engine Statistics
Action
Command
CLI Commands
List the version of Clientless VPN dynamic content being used
You can also view the dynamic update version from the
Device
Dynamic Updates
GlobalProtect Clientless VPN
.
show system setting ssl-decrypt memory
proxy uses shared allocator SSL certificate cache: Current Entries: 1 Allocated 1, Freed 0 Current CRE (61-62) : 3456 KB (Actual 3343 KB) Last CRE (60-47) : 3328 KB (Actual 3283 KB)
In this example, the current dynamic update is version 61-62, and the last installed dynamic update is version 60-47.
List active (current) users of Clientless VPN
show global-protect-portal current-user portal GPClientlessPortal filter-user all-users
GlobalProtect Portal : GPClientlessPortal Vsys-Id : 1 User : paloaltonetworks.com\johndoe Session-id : 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0 Client-IP : 5.5.5.5 Inactivity Timeout : 1800 Seconds before inactivity timeout : 1750 Login Lifetime : 10800 Seconds before login lifetime : 10748 Total number of user sessions: 1
Show DNS resolution results
This can be useful to determine if there are DNS issues. If there is a DNS issue, you will notice querying against an FQDN that was not resolvable in the CLI output.
show system setting ssl-decrypt dns-cache
Total DNS cache entries: 89 Site IP Expire(secs) Interface bugzilla.panw.local 10.0.2.15 querying 0 www.google.com 216.58.216.4 Expired 0 stats.g.doubleclick.net 74.125.199.154 Expired 0
Show all Clientless VPN user sessions and cookies stored
show system setting ssl-decrypt gp-cookie-cache
User: johndoe, Session-id: 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0, Client-ip: 199.167.55.50
Show rewrite-stats
This is useful to identify the health of the Clientless VPN rewrite engine.
Refer to Troubleshoot Clientless VPN for information on rewrite statistics and their meaning or purpose.
show system setting ssl-decrypt rewrite-stats
Rewrite Statistics initiate_connection : 11938 setup_connection : 11909 session_notify_mismatch : 1 reuse_connection : 37 file_end : 4719 packet : 174257 packet_mismatch_session : 1 peer_queue_update_rcvd : 167305 peer_queue_update_sent : 167305 peer_queue_update_rcvd_failure: 66 setup_connection_r : 11910 packet_mismatch_session_r : 22 pkt_no_dest : 23 cookie_suspend : 2826 cookie_resume : 2826 decompress : 26 decompress_freed : 26 dns_resolve_timeout : 27 stop_openend_response : 43 received_fin_for_pending_req : 26 Destination Statistics To mp : 4015 To site : 12018 To dp : 17276 Return Codes Statistics ABORT : 18 RESET : 30 PROTOCOL_UNSUPPORTED : 7 DEST_UNKNOWN : 10 CODE_DONE : 52656 DATA_GONE : 120359 SWITCH_PARSER : 48 INSERT_PARSER : 591 SUSPEND : 2826 Total Rewrite Bytes : 611111955 Total Rewrite Useconds : 6902825 Total Rewrite Calls : 176545
Debug Commands
Enable debug logs on the firewall running Clientless VPN Portal
debug dataplane packet-diag set log feature ssl all
debug dataplane packet-diag set log feature misc all
debug dataplane packet-diag set log feature proxy all
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag set log on
Enable packet capture on the firewall running the Clientless VPN Portal
debug dataplane packet-diag set capture username
<portal-username>
debug dataplane packet-diag set capture stage clientless-vpn-client file
<clientless-vpn-client-file>
debug dataplane packet-diag set capture stage clientless-vpn-server file
<clientless-vpn-server-file>
debug dataplane packet-diag set capture stage firewall file
<firewall-file>
debug dataplane packet-diag set capture stage receive file
<receive-file>
debug dataplane packet-diag set capture stage transmit file
<transmit-file>
debug dataplane packet-diag set capture on
When you execute packet capture commands, a consent page appears after end users log in to the Clientless VPN portal, informing them that the packets captured during their user session will contain unencrypted (clear-text) data. If users consent to the packet capture session, they then proceed to the applications landing page, where packet capture begins. If users do not consent to the packet capture session, they are logged out of the Clientless VPN portal and must contact an administrator to proceed with a regular user session (without packet capture).
If you execute packet capture commands for user sessions that are already in progress, those users are automatically logged out of the Clientless VPN portal and must log back in to accept or decline the packet capture session.
Show packet capture files
debug dataplane packet-diag show setting
---------------------------------------------------------- Packet diagnosis setting: ---------------------------------------------------------- Packet filter Enabled: no Match pre-parsed packet: no ---------------------------------------------------------- Logging Enabled: no Log-throttle: no Sync-log-by-ticks: yes Features: Counters: ---------------------------------------------------------- Packet capture Enabled: yes Snaplen: 0 Username: test1 Stage clientless-vpn-client: file client.pcap Captured: packets - 3558 bytes - 11366322 Maximum: packets - 0 bytes - 0 Stage clientless-vpn-server: file server.pcap Captured: packets - 1779 bytes - 5651923 Maximum: packets - 0 bytes - 0 ----------------------------------------------------------
Export packet capture files to a Secure Copy (SCP) server
scp export filter-pcap
+ remote-port SSH port number on remote host + source-ip Set source address to specified interface address * from from * to Destination (username@host:path)
scp export filter-pcap from
<source-file>
to
<scp-server>
Destination (username@host:path)
Table: Rewrite Engine Statistics
Statistic
Description
initiate_connection_failure
Connection initiation failed to back-end host
setup_connection_failure
Connection setup failed
setup_connection_duplicate
Duplicate peer session exists
session_notify_mismatch
Mostly invalid session
packet_mismatch_session
Failed to find right session for incoming packet
peer_queue_update_rcvd_failure
Session was invalid when packet update received by peer
peer_queue_update_sent_failure
Failed to send packet updates to peer or failed to send packet queue length updates to peer
exceed_pkt_queue_limit
Too many packets queued
proxy_connection_failure
Proxy connection failed
setup_connection_r
Installing the peer session to the application server. This value should match the values for
initiate_connection
and
setup_connection
.
setup_connection_duplicate_r
Duplicate sessions already in proxy
setup_connection_failure_r
Failed to set up the peer session
session_notify_mismatch_r
Peer session not found
packet_mismatch_session_r
Peer session not found when trying to get the packet
exceed_pkt_queue_limit_r
Too many packets held
unknown_dest
Failed to find destination host
pkt_no_dest
No destination for this packet
cookie_suspend
Suspended session to fetch cookies
cookie_resume
Received response from MP with updated cookies. This value generally matches the value of cookie_suspend.
decompress_failure
Failed to decompress
memory_alloc_failure
Failed to allocate memory
wait_for_dns_resolve
Suspended session to resolve DNS requests
dns_resolve_reschedule
Rescheduled DNS query due to no response (retry before timeout)
dns_resolve_timeout
DNS query timeout
setup_site_conn_failure
Failed to setup connection to site (proxy, DNS)
site_dns_invalid
DNS resolve failed
multiple_multipart
Multi-part content-type processed
site_from_referer
Received the back-end host from referrer. This can indicate failed rewrite links from flash or other content which Clientless VPN does not rewrite.
received_fin_for_pending_req
Received FIN from server for pending request from client
unmatched_http_state
Unexpected HTTP content. This can indicate an issue parsing the http headers or body.

Recommended For You