Troubleshoot Clientless VPN
Because this feature involves dynamic re-writing of HTML applications, the HTML content for some applications may not re-write correctly and break the application. If issues occur, use the commands in the following table to help you identify the likely cause:
List the version of Clientless VPN dynamic content being used
You can also view the dynamic update version from the DeviceDynamic UpdatesGlobalProtect Clientless VPN.
pancpe@cagp> show system setting ssl-decrypt memory proxy uses shared allocator SSL certificate cache: Current Entries: 1 Allocated 1, Freed 0 Current CRE (61-62) : 3456 KB (Actual 3343 KB) Last CRE (60-47) : 3328 KB (Actual 3283 KB)
In this example, the current dynamic update is version 61-62, and the last installed dynamic update is version 60-47.
List active (current) users of Clientless VPN
pancpe@cagp> show global-protect-portal current-user portal GPClientlessPortal filter-user all-users GlobalProtect Portal : GPClientlessPortal Vsys-Id : 1 User : paloaltonetworks.com\johndoe Session-id : 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0 Client-IP : 126.96.36.199 Inactivity Timeout : 1800 Seconds before inactivity timeout : 1750 Login Lifetime : 10800 Seconds before login lifetime : 10748 Total number of user sessions: 1
Show DNS resolution results
This can be useful to determine if there are DNS issues. If there is a DNS issue, you will notice querying against an FQDN that was not resolvable in the CLI output.
pancpe@cagp> show system setting ssl-decrypt dns-cache Total DNS cache entries: 89 Site IP Expire(secs) Interface bugzilla.panw.local 10.0.2.15 querying 0 www.google.com 188.8.131.52 Expired 0 stats.g.doubleclick.net 184.108.40.206 Expired 0
Show all Clientless VPN user sessions and cookies stored
pancpe@cagp> show system setting ssl-decrypt gp-cookie-cache User: johndoe, Session-id: 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0, Client-ip: 220.127.116.11
This is useful to identify the health of the Clientless VPN rewrite engine.
Refer to Table: Rewrite Engine Statistics for information on rewrite statistics and their meaning or purpose.
pancpe@cagp> show system setting ssl-decrypt rewrite-stats Rewrite Statistics initiate_connection : 11938 setup_connection : 11909 session_notify_mismatch : 1 reuse_connection : 37 file_end : 4719 packet : 174257 packet_mismatch_session : 1 peer_queue_update_rcvd : 167305 peer_queue_update_sent : 167305 peer_queue_update_rcvd_failure: 66 setup_connection_r : 11910 packet_mismatch_session_r : 22 pkt_no_dest : 23 cookie_suspend : 2826 cookie_resume : 2826 decompress : 26 decompress_freed : 26 dns_resolve_timeout : 27 stop_openend_response : 43 received_fin_for_pending_req : 26 Destination Statistics To mp : 4015 To site : 12018 To dp : 17276 Return Codes Statistics ABORT : 18 RESET : 30 PROTOCOL_UNSUPPORTED : 7 DEST_UNKNOWN : 10 CODE_DONE : 52656 DATA_GONE : 120359 SWITCH_PARSER : 48 INSERT_PARSER : 591 SUSPEND : 2826 Total Rewrite Bytes : 611111955 Total Rewrite Useconds : 6902825 Total Rewrite Calls : 176545
Enable debug logs on the firewall running Clientless VPN Portal
debug dataplane packet-diag set log feature ssl all debug dataplane packet-diag set log feature misc all debug dataplane packet-diag set log feature proxy all debug dataplane packet-diag set log feature flow basic debug dataplane packet-diag set log on
Enable packet capture on the firewall running Clientless VPN Portal
debug dataplane packet-diag set capture username <portal-username> debug dataplane packet-diag set capture stage clientless-vpn-client file clss_client1.pcap debug dataplane packet-diag set capture stage clientless-vpn-server file clss_server1.pcap debug dataplane packet-diag set capture stage firewall file clss_fw1.pcap debug dataplane packet-diag set capture stage receive file clss_rx1.pcap debug dataplane packet-diag set capture stage transmit file clss_tx1.pcap debug dataplane packet-diag set capture on
Connection initiation failed to back-end host
Connection setup failed
Duplicate peer session exists
Mostly invalid session
Failed to find right session for incoming packet
Session was invalid when packet update received by peer
Failed to send packet updates to peer or failed to send packet queue length updates to peer
Too many packets queued
Proxy connection failed
Installing the peer session to the application server. This value should match the values for initiate_connection and setup_connection.
Duplicate sessions already in proxy
Failed to set up the peer session
Peer session not found
Peer session not found when trying to get the packet
Too many packets held
Failed to find destination host
No destination for this packet
Suspended session to fetch cookies
Received response from MP with updated cookies. This value generally matches the value of cookie_suspend.
Failed to decompress
Failed to allocate memory
Suspended session to resolve DNS requests
Rescheduled DNS query due to no response (retry before timeout)
DNS query timeout
Failed to setup connection to site (proxy, DNS)
DNS resolve failed
Multi-part content-type processed
Received the back-end host from referrer. This can indicate failed rewrite links from flash or other content which Clientless VPN does not rewrite.
Received FIN from server for pending request from client
Unexpected HTTP content. This can indicate an issue parsing the http headers or body.
CLI Cheat Sheet: Networking
CLI Cheat Sheet: Networking Use the following table to quickly locate commands for common networking tasks: If you want to . . . Use . ...
Disable Hardware Offload
Disable Hardware Offload Packet captures for traffic passing through the network data ports on a Palo Alto Networks firewall are performed by the dataplane CPU. ...
Building Blocks for a Custom Packet Capture
Building Blocks for a Custom Packet Capture The following table describes the components of the Monitor Packet Capture page that you use to configure packet ...