Troubleshoot Clientless VPN
Because this feature involves dynamic re-writing of HTML applications, the HTML content for some applications may not re-write correctly and break the application. If issues occur, use the commands in the following table to help you identify the likely cause:
List the version of Clientless VPN dynamic content being used
You can also view the dynamic update version from the
GlobalProtect Clientless VPN
In this example, the current dynamic update is version 61-62, and the last installed dynamic update is version 60-47.
List active (current) users of Clientless VPN
Show DNS resolution results
This can be useful to determine if there are DNS issues. If there is a DNS issue, you will notice querying against an FQDN that was not resolvable in the CLI output.
Show all Clientless VPN user sessions and cookies stored
This is useful to identify the health of the Clientless VPN rewrite engine.
Refer to Table: Rewrite Engine Statistics for information on rewrite statistics and their meaning or purpose.
Enable debug logs on the firewall running Clientless VPN Portal
Enable packet capture on the firewall running the Clientless VPN Portal
When you execute packet capture commands, a consent page appears after end users log in to the Clientless VPN portal, informing them that the packets captured during their user session will contain unencrypted (clear-text) data. If users consent to the packet capture session, they then proceed to the applications landing page, where packet capture begins. If users do not consent to the packet capture session, they are logged out of the Clientless VPN portal and must contact an administrator to proceed with a regular user session (without packet capture).
If you execute packet capture commands for user sessions that are already in progress, those users are automatically logged out of the Clientless VPN portal and must log back in to accept or decline the packet capture session.
Show packet capture files
Export packet capture files to a Secure Copy (SCP) server
Connection initiation failed to back-end host
Connection setup failed
Duplicate peer session exists
Mostly invalid session
Failed to find right session for incoming packet
Session was invalid when packet update received by peer
Failed to send packet updates to peer or failed to send packet queue length updates to peer
Too many packets queued
Proxy connection failed
Installing the peer session to the application server. This value should match the values for
Duplicate sessions already in proxy
Failed to set up the peer session
Peer session not found
Peer session not found when trying to get the packet
Too many packets held
Failed to find destination host
No destination for this packet
Suspended session to fetch cookies
Received response from MP with updated cookies. This value generally matches the value of cookie_suspend.
Failed to decompress
Failed to allocate memory
Suspended session to resolve DNS requests
Rescheduled DNS query due to no response (retry before timeout)
DNS query timeout
Failed to setup connection to site (proxy, DNS)
DNS resolve failed
Multi-part content-type processed
Received the back-end host from referrer. This can indicate failed rewrite links from flash or other content which Clientless VPN does not rewrite.
Received FIN from server for pending request from client
Unexpected HTTP content. This can indicate an issue parsing the http headers or body.