Article Intended For
IT Staff involved in supporting users of the GlobalProtect Remote Access VPN Service.
Introduction
This article documents possible errors that may be presented to users of the GlobalProtect Remote Access VPN service, as well as provide a resolution when possible.
Article Body
Click on an error message below to jump to the associated description and other information:
- Authentication Failed -- Please contact the administrator for further assistance, Error code: -1
- Connection Failed -- You are not authorized to connect to GlobalProtect Portal.
- Authentication Failed -- Enter login credentials, Error -- Incorrect username or password
- Connection Failed -- Failed to get default route entry
Authentication Failed
Please contact the administrator for further assistance
Error code: -1
Display
Description
User has not been provisioned by their local Unit IT for GlobalProtect VPN use.
Resolution
User's local IT Unit must provision the user in the Unit's appropriate EAD security group for authentication to GlobalProtect VPN.
Open or reassign a SNow Incident to user's local Unit IT Assignment Group
Connection Failed
You are not authorized to connect to GlobalProtect Portal.
Display
Description
User has not been provisioned by their local Unit IT for GlobalProtect VPN use.
Resolution
User's local IT Unit must provision the user in the Unit's appropriate EAD security group for authentication to GlobalProtect VPN.
Open or reassign a SNow Incident to user's local Unit IT Assignment Group
Authentication Failed. Enter login credentials
Error: Incorrect username or password
Display
Description
If this error is present on a Linux host, then the userid may have exceeded 5 incorrect login attempts resulting in the account being locked.
Resolution
- IT support staff: Open a ServiceNow INCIDENT ticket and assign to the "Firewall and Security Team" assignment group.
- FaST: This user id will need to be unlocked in the active member of the GPFW cluster. Device>Authentication Profile>(RADIUS-Auth-Profile-Name>unlock
Connection Failed
Failed to get default route entry
Display
Description
- In the GlobalProtect Agent GPA logs, The GP client was able to identify the PANGP adapter.
(T5584) 01/25/19 12:07:58:025 Dump (3389): Adapter name: {E0504646-6C44-4B93-AB6B-FCB2F1DBE90C} (T5584) 01/25/19 12:07:58:025 Dump (3390): Adapter friendly name: Local Area Connection 2 - GlobalProtect Agent PanGps logs indicate it has received the default route and changes the registry key accordingly.
(T5584) 01/25/19 12:07:59:026 Dump ( 354): Setting routes... (T5584) 01/25/19 12:07:59:026 Dump (1865): SetRoutes(): Non-SplitTunneling. (T5584) 01/25/19 12:07:59:026 Dump (1869): SetRoutes(): Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanGPS\ExclusiveDefaultRoute is 0.
- The same PanGPS logs indicate that the route table is not updated with the entry, and it keeps failing.
(T5584) 01/25/19 12:08:09:086 Error(1897): SetRoutes: GetRouteTableEntry(10.150.16.143) failed (T5584) 01/25/19 12:08:09:086 Error( 356): Error setting routes (T5584) 01/25/19 12:08:09:086 Error( 235): ProcMonitor: SetupNetwork() failed
Resolution
- In Windows cmd, run > sc delete PanGPS >
- Remove the following key - HKEY_CURRENT_USER\Software\Palo Alto Networks
- Remove the following key - HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks
- Delete the following folder/directory - C:\Program Files\Palo Alto Networks >
- Delete the following folder C:\Users\User\AppData\Local\Palo Alto Networks
- Uninstall the 3rd party VPN softwares and other softwares which can deny the route table modification.
- Reboot
- Reinstall the GP software.
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPWeCAO
How to Get Help with the GlobalProtect Remote Access VPN
If you have questions or experience any difficulties, use any of the following methods to contact the IT Service Desk for help:
- Visit the IT Help Portal
- Call us at 814-865-HELP (4357)
- Email us at ITservicedesk@psu.edu