Article Intended For
IT Staff involved in supporting users of the GlobalProtect Remote Access VPN Service.
Introduction
This article documents possible errors that may be presented to users of the GlobalProtect Remote Access VPN service, as well as provide a resolution when possible.
Article Body
Click on an error message below to jump to the associated description and other information:
- Authentication Failed -- Please contact the administrator for further assistance, Error code: -1
- Authentication Failed -- Enter login credentials, Error -- Incorrect username or password
- Connection Failed -- You are not authorized to connect to GlobalProtect Portal.
- Connection Failed -- Failed to get default route entry
- Connection Failed -- Could not connect to the GlobalProtect gateway. Please contact your IT administrator
- Connection Failed -- VPN connection could not be established. Please restart your computer to try again.
- Connection Failed -- Failed to find the PANGP virtual adapter interface
- Connection Failed -- Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.
- Web Login Service -- Stale Request
- Script Error -- An error has occurred in the script on this page.
- Blank "GlobalProtect Login" window
Authentication Failed
Please contact the administrator for further assistance
Error code: -1
Display
Description
User has not been provisioned by their local Unit IT for GlobalProtect VPN use.
Resolution
User's local IT Unit must provision the user in the Unit's appropriate EAD security group for authentication to GlobalProtect VPN.
Open or reassign a SNow Incident to user's local Unit IT Assignment Group
Connection Failed
You are not authorized to connect to GlobalProtect Portal.
Display
Description
User has not been provisioned by their local Unit IT for GlobalProtect VPN use.
Resolution
User's local IT Unit must provision the user in the Unit's appropriate EAD security group for authentication to GlobalProtect VPN.
Open or reassign a SNow Incident to user's local Unit IT Assignment Group
Authentication Failed. Enter login credentials
Error: Incorrect username or password
Display
Description
If this error is present on a Linux host, then the userid may have exceeded 5 incorrect login attempts resulting in the account being locked.
Resolution
- IT support staff: Open a ServiceNow INCIDENT ticket and assign to the "Firewall and Security Team" assignment group.
- FaST: This user id will need to be unlocked in the active member of the GPFW cluster. Device>Authentication Profile>"RADIUS-Auth-Profile-Name">unlock(click on user ID and answer prompt) example auth profile: AP_GPFW-DUO-Radius-GP-AllUsers
Connection Failed
Failed to get default route entry
Display
Description
- In the GlobalProtect Agent GPA logs, The GP client was able to identify the PANGP adapter.
(T5584) 01/25/19 12:07:58:025 Dump (3389): Adapter name: {E0504646-6C44-4B93-AB6B-FCB2F1DBE90C} (T5584) 01/25/19 12:07:58:025 Dump (3390): Adapter friendly name: Local Area Connection 2
- GlobalProtect Agent PanGps logs indicate it has received the default route and changes the registry key accordingly.
(T5584) 01/25/19 12:07:59:026 Dump ( 354): Setting routes... (T5584) 01/25/19 12:07:59:026 Dump (1865): SetRoutes(): Non-SplitTunneling. (T5584) 01/25/19 12:07:59:026 Dump (1869): SetRoutes(): Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanGPS\ExclusiveDefaultRoute is 0.
- The same PanGPS logs indicate that the route table is not updated with the entry, and it keeps failing.
(T5584) 01/25/19 12:08:09:086 Error(1897): SetRoutes: GetRouteTableEntry(10.150.16.143) failed (T5584) 01/25/19 12:08:09:086 Error( 356): Error setting routes (T5584) 01/25/19 12:08:09:086 Error( 235): ProcMonitor: SetupNetwork() failed
Resolution
- In Windows cmd, run > sc delete PanGPS >
- Remove the following key - HKEY_CURRENT_USER\Software\Palo Alto Networks
- Remove the following key - HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks
- Delete the following folder/directory - C:\Program Files\Palo Alto Networks >
- Delete the following folder C:\Users\User\AppData\Local\Palo Alto Networks
- Uninstall the 3rd party VPN softwares and other softwares which can deny the route table modification.
- Reboot
- Reinstall the GP software.
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPWeCAO
Connection Failed: Could not connect to the GlobalProtect gateway. Please contact your IT administrator
Display
Description
Resolution
- Stop the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
- Disable the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Delete directories and files
- "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
- Delete Registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
- Un-install GlobalProtect
- Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
- Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
- Reboot the machine
- Reinstall GlobalProtect with admin privileges
- Confirm that WMI service is running
Connection Failed -- VPN connection could not be established. Please restart your computer to try again.
Display
Description
The PANGP Virtual Ethernet Adapter is not present. The ethernet adapter may be missing due to a corrupt or incomplete installation, or due to the ethernet adapter being removed since the GlobalProtect agent was previously installed. The PANGP Virtual Ethernet Adapter should be found at Control Panel\Network and Internet\Network Connections
Resolution
Option A - Reinstall the GlobalProtect agent overtop of the current install.
- Download and install the currently supported GlobalProtect agent version from the Penn State Software Request website
https://softwarerequest.psu.edu/
2. Reboot the computer to complete the install and ensure that the normal service startup methods are invoked
3. Verify that the PANGP Virtual Ethernet Adapter is now present.
Option B - Perform a manual uninstall and cleanup of the GlobalProtect agent installation.
- Stop the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
- Disable the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Delete directories and files
- "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
- Delete Registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
- Un-install GlobalProtect
- Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
- Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
- Reboot the machine
- Reinstall GlobalProtect with admin privileges
- Verify that the PANGP Virtual Ethernet Adapter is now present.
Connection Failed -- Failed to find the PANGP virtual adapter interface
Display
Description
The PanGPS service is not running, or the GlobalProtect agent install is otherwise corrupt.
Resolution
Option A - Reinstall the GlobalProtect agent overtop of the current install.
- Download and install the currently supported GlobalProtect agent version from the Penn State Software Request website
https://softwarerequest.psu.edu/
2. Reboot the computer to complete the install and ensure that the normal service startup methods are invoked
Option B - Perform a manual uninstall and cleanup of the GlobalProtect agent installation.
- Stop the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
- Disable the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Delete directories and files
- "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
- Delete Registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
- Un-install GlobalProtect
- Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
- Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
- Reboot the machine
- Reinstall GlobalProtect with admin privileges
- Confirm that WMI service is running
Connection Failed -- Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.
Display
Description
Investigating
Resolution
TBD
Web Login Service - Stale Request
Display
Description
The GlobalProtect Remote Access VPN utilizes Penn State's WebAccess system for authentication. The authentication workflow loads the WebAccess authentication page into a browser kiosk-mode window. The connection to the WebAccess login page is initiated from the computer's network interfaces. This traffic is not redirected through, tunneled through, or initiated from the GlobalProtect VPN systems. So, issues connecting to WebAccess are in the path between the originating computer and the WebAccess system located in Penn State's University Park or Hershey Data Centers.
Resolution
- Verify that there are no local browser or system issues on the originating computer
- Ensure the ability to load https://webaccess.psu.edu in a web-browser, and authenticate with PSU credentials including DUO 2FA.
- Ensure the ability to load https://login.microsoftonline.com in a web-browser. Enter PSU username in format of userid@psu.edu (ex. abc123@psu.edu) and ensure that the page redirects to webaccess.psu.edu
- Verify no local LAN, WiFi, or ISP connectivity issues are present on the originating computer side of the connection. (ping, MTR, Win-MTR, etc. to various Internet destinations)
- Verify a reliable and error-free Internet path is available from the originating computer to Penn State's network.(ping, MTR, Win-MTR, etc. to secure-connect.psu.edu)
Script Error - An error has occurred in the script on this page.
Display
Description
The GlobalProtect installer for Windows operating systems includes a browser built-in to the agent to display the PSU WebAccess authentication page. This browser uses Window's Internet Explorer settings, cache, cookies, etc.
The URL shown in the above screenshot may differ to other user's Script Error message.
Resolution
Clear the cache in the Internet Explorer browser
- Launch the Internet Explorer browser application
- Open Settings > Internet Options > General tab
- Select Delete... from the Browsing history section
- Unselect Preserve Favorites website data
- Select Temporary Internet files and websites files
- Select Cookies and website data
- Choose Delete at the bottom of the Delete Browsing History window
- Close Internet Explorer, then restart the GlobalProtect connection process
Blank "GlobalProtect Login" window
Display
Description
When attempting to login and connect to the GlobalProtect VPN, a blank "GlobalProtect Login" window is presented to the user instead of the expected WebSSO page.
Resolution
Ensure that JavaScript is enabled in the OS vendor's default browser.(e.g. Internet Explorer or Safari)
Windows:
- Open Internet Explorer
- Navigate to Settings>Internet Options>Security>Custom level...
- Scroll down to the Scripting section
- Select Enable for Active scripting
- Click OK. Then click Yes when prompted Are you sure you want to change the settings for this zone?
- Click OK to close the Internet Options window
macOS:
- Open the Safari web-browser
- Open Safari's preferences
- Navigate to the Security tab
- click to Enable JavaScript at the Web content field
How to Get Help with the GlobalProtect Remote Access VPN
If you have questions or experience any difficulties, use any of the following methods to contact the IT Service Desk for help:
- Visit the IT Help Portal
- Call us at 814-865-HELP (4357)
- Email us at ITservicedesk@psu.edu