>
    Strata Copilot
    Troubleshoot Clientless VPN
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Clientless VPN
    5. Troubleshoot Clientless VPN
    Download PDF
    GlobalProtect

    Troubleshoot Clientless VPN

    Table of Contents

    Troubleshoot Clientless VPN

    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    Because this feature involves dynamic re-writing of HTML applications, the HTML content for some applications may not re-write correctly and break the application. If issues occur, use the commands in the following table to help you identify the likely cause:
    Table: Rewrite Engine Statistics
    Action
    Command
    CLI Commands
    List the version of Clientless VPN dynamic content being used
    You can also view the dynamic update version from the DeviceDynamic UpdatesGlobalProtect Clientless VPN.
    show system setting ssl-decrypt memory 
proxy uses shared allocator
SSL certificate cache:
        Current Entries: 1
        Allocated 1, Freed 0
Current CRE (61-62)           : 3456   KB (Actual 3343   KB)
Last CRE (60-47)              : 3328   KB (Actual 3283   KB)
    In this example, the current dynamic update is version 61-62, and the last installed dynamic update is version 60-47.
    List active (current) users of Clientless VPN
    show global-protect-portal current-user portal GPClientlessPortal filter-user all-users 

GlobalProtect Portal              : GPClientlessPortal
Vsys-Id                           : 1
User                              : paloaltonetworks.com\johndoe
Session-id                        : 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0
Client-IP                         : 5.5.5.5
Inactivity Timeout                : 1800
Seconds before inactivity timeout : 1750
Login Lifetime                    : 10800
Seconds before login lifetime     : 10748


Total number of user sessions: 1
    Show DNS resolution results
    This can be useful to determine if there are DNS issues. If there is a DNS issue, you will notice querying against an FQDN that was not resolvable in the CLI output.
    show system setting ssl-decrypt dns-cache 
  
Total DNS cache entries: 89 
Site                     IP              Expire(secs)   Interface 
bugzilla.panw.local      10.0.2.15       querying       0 
www.google.com           216.58.216.4    Expired        0 
stats.g.doubleclick.net  74.125.199.154  Expired        0
    Show all Clientless VPN user sessions and cookies stored
    show
system setting ssl-decrypt gp-cookie-cache 
  
User: johndoe, Session-id: 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0,
Client-ip: 199.167.55.50
    Show rewrite-stats
    This is useful to identify the health of the Clientless VPN rewrite engine.
    Refer to Troubleshoot Clientless VPN for information on rewrite statistics and their meaning or purpose.
    show system setting ssl-decrypt rewrite-stats 
 
Rewrite Statistics 
        initiate_connection           : 11938 
        setup_connection              : 11909 
        session_notify_mismatch       : 1 
        reuse_connection              : 37 
        file_end                      : 4719 
        packet                        : 174257 
        packet_mismatch_session       : 1 
        peer_queue_update_rcvd        : 167305 
        peer_queue_update_sent        : 167305 
        peer_queue_update_rcvd_failure: 66 
        setup_connection_r            : 11910 
        packet_mismatch_session_r     : 22 
        pkt_no_dest                   : 23 
        cookie_suspend                : 2826 
        cookie_resume                 : 2826 
        decompress                    : 26 
        decompress_freed              : 26 
        dns_resolve_timeout           : 27 
        stop_openend_response         : 43 
        received_fin_for_pending_req  : 26 
Destination Statistics 
        To mp                         : 4015 
        To site                       : 12018 
        To dp                         : 17276 
Return Codes Statistics 
        ABORT                         : 18 
        RESET                         : 30 
        PROTOCOL_UNSUPPORTED          : 7 
        DEST_UNKNOWN                  : 10 
        CODE_DONE                     : 52656 
        DATA_GONE                     : 120359 
        SWITCH_PARSER                 : 48 
        INSERT_PARSER                 : 591 
        SUSPEND                       : 2826 
        Total Rewrite Bytes           : 611111955 
        Total Rewrite Useconds        : 6902825 
        Total Rewrite Calls           : 176545
    Debug Commands
    Enable debug logs on the firewall running Clientless VPN Portal
    debug dataplane packet-diag set log feature ssl all 
debug dataplane packet-diag set log feature misc all 
debug dataplane packet-diag set log feature proxy all 
debug dataplane packet-diag set log feature flow basic 
debug dataplane packet-diag set log on
    Enable packet capture on the firewall running the Clientless VPN Portal
    debug dataplane packet-diag set capture username <portal-username>
debug dataplane packet-diag set capture stage clientless-vpn-client file <clientless-vpn-client-file>
debug dataplane packet-diag set capture stage clientless-vpn-server file <clientless-vpn-server-file> 
debug dataplane packet-diag set capture stage firewall file <firewall-file> 
debug dataplane packet-diag set capture stage receive file <receive-file> 
debug dataplane packet-diag set capture stage transmit file <transmit-file> 
debug dataplane packet-diag set capture on
    When you execute packet capture commands, a consent page appears after end users log in to the Clientless VPN portal, informing them that the packets captured during their user session will contain unencrypted (clear-text) data. If users consent to the packet capture session, they then proceed to the applications landing page, where packet capture begins. If users do not consent to the packet capture session, they are logged out of the Clientless VPN portal and must contact an administrator to proceed with a regular user session (without packet capture).
    If you execute packet capture commands for user sessions that are already in progress, those users are automatically logged out of the Clientless VPN portal and must log back in to accept or decline the packet capture session.
    Show packet capture files
    debug dataplane packet-diag show setting
----------------------------------------------------------
Packet diagnosis setting:
----------------------------------------------------------
Packet filter
Enabled:	no
Match pre-parsed packet:	no
----------------------------------------------------------
Logging
Enabled:	no
Log-throttle:	no
Sync-log-by-ticks:	yes
Features:
Counters:
----------------------------------------------------------
Packet capture
Enabled:	yes
Snaplen:	0
Username:	test1 
Stage clientless-vpn-client: file client.pcap
 Captured: packets - 3558   bytes - 11366322
 Maximum: packets - 0   bytes - 0
Stage clientless-vpn-server: file server.pcap
 Captured: packets - 1779   bytes - 5651923
 Maximum: packets - 0   bytes - 0
----------------------------------------------------------
    Export packet capture files to a Secure Copy (SCP) server
    scp export filter-pcap
+ remote-port SSH port number on remote host
+ source-ip Set source address to specified interface address
* from	   from
* to	   Destination (username@host:path)

scp export filter-pcap from <source-file> to <scp-server> Destination (username@host:path)
    Table: Rewrite Engine Statistics
    Statistic
    Description
    initiate_connection_failure
    Connection initiation failed to back-end host
    setup_connection_failure
    Connection setup failed
    setup_connection_duplicate
    Duplicate peer session exists
    session_notify_mismatch
    Mostly invalid session
    packet_mismatch_session
    Failed to find right session for incoming packet
    peer_queue_update_rcvd_failure
    Session was invalid when packet update received by peer
    peer_queue_update_sent_failure
    Failed to send packet updates to peer or failed to send packet queue length updates to peer
    exceed_pkt_queue_limit
    Too many packets queued
    proxy_connection_failure
    Proxy connection failed
    setup_connection_r
    Installing the peer session to the application server. This value should match the values for initiate_connection and setup_connection.
    setup_connection_duplicate_r
    Duplicate sessions already in proxy
    setup_connection_failure_r
    Failed to set up the peer session
    session_notify_mismatch_r
    Peer session not found
    packet_mismatch_session_r
    Peer session not found when trying to get the packet
    exceed_pkt_queue_limit_r
    Too many packets held
    unknown_dest
    Failed to find destination host
    pkt_no_dest
    No destination for this packet
    cookie_suspend
    Suspended session to fetch cookies
    cookie_resume
    Received response from MP with updated cookies. This value generally matches the value of cookie_suspend.
    decompress_failure
    Failed to decompress
    memory_alloc_failure
    Failed to allocate memory
    wait_for_dns_resolve
    Suspended session to resolve DNS requests
    dns_resolve_reschedule
    Rescheduled DNS query due to no response (retry before timeout)
    dns_resolve_timeout
    DNS query timeout
    setup_site_conn_failure
    Failed to setup connection to site (proxy, DNS)
    site_dns_invalid
    DNS resolve failed
    multiple_multipart
    Multi-part content-type processed
    site_from_referer
    Received the back-end host from referrer. This can indicate failed rewrite links from flash or other content which Clientless VPN does not rewrite.
    received_fin_for_pending_req
    Received FIN from server for pending request from client
    unmatched_http_state
    Unexpected HTTP content. This can indicate an issue parsing the http headers or body.

    © 2026 Palo Alto Networks, Inc. All rights reserved.