Article Intended For
IT Staff involved in supporting users of the GlobalProtect Remote Access VPN Service.
Introduction
This article documents possible errors that may be presented to users of the GlobalProtect Remote Access VPN service, as well as provide a resolution when possible. If you are unable to find the specific error in this KB article, please try the steps in the below table.
For more information about GlobalProtect, and a list of related articles, see KB0013431, GlobalProtect Remote Access VPN - Overview.
| Basic Troubleshooting Steps | |
| Windows | MacOS |
|
Must have anti-virus software with real-time protection installed. Recommendations to install https://security.psu.edu/education-training/anti-virus/ |
Must have anti-virus software with real-time protection installed. Recommendations to install https://security.psu.edu/education-training/anti-virus/ |
|
If client is not at the latest version, Upgrade the client: KB0013671 |
If client is not at the latest version, Upgrade the client: KB0013671 |
|
Verify PANGP Virtual Ethernet Adapter exists in control panel/network |
Verify Host-based Firewall allows GP communications |
|
Check for additional VPN adapters Disable any VPN adapters that may be conflicting with GP |
Privacy settings for GP |
|
Remove .dat files: KB0016083
|
Remove .dat files: KB0016084
|
|
Reboot |
Reboot |
|
Restart PanGPS service in Windows Services
|
Verify system extensions are installed |
|
command prompt, run "winmgmt /resetrepository" and reboot |
Make sure Safari is up to date |
|
Try ssl: KB0015585 |
Try ssl: KB0015585 |
|
Uninstall/reboot/reinstall client |
Uninstall/reboot/reinstall client |
|
Is IPv6 enabled? If so have it disabled. |
Is IPv6 enabled? If so have it disabled. |
If the above steps are unsuccessful, please attach the GP logs to the ticket and provide all details prior to escalating.
More Specific Known Issues, Errors, and Resolutions
Click on an error message below to jump to the associated description and other information:
- Authentication Failed -- Please contact the administrator for further assistance, Error code: -1
- Connection Failed -- You are not authorized to connect to GlobalProtect Portal.
- Authentication Failed -- Enter login credentials, Error -- Incorrect username or password
- Connection Failed -- Failed to get default route entry
- Connection Failed -- Could not connect to the GlobalProtect gateway. Please contact your IT administrator
- Connection Failed -- VPN connection could not be established. Please restart your computer to try again.
- Connection Failed -- Failed to find the PANGP virtual adapter interface
- Connection Failed -- Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.
- Connection Failed -- The virtual adapter was not set up correctly due to a delay. GlobalProtect will try again soon. If the issue persists, please restart your system.
- Connection Failed -- The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect
- Connection Failed -- The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect
- Connection Failed -- Failed to verify certificate
- Connection Failed -- Could not connect to the GlobalProtect service
- Connecting... -- Still Working...
- Web Login Service - Stale Request
- Script Error - An error has occurred in the script on this page.
- Blank "GlobalProtect Login" window
- Mac: Reoccurring requests to enter password
- Looks like something went wrong. Please wait a few minutes and try again. If the problem persists, contact your IT help desk.
- Authentication prompt is for another organization other than Penn State
Authentication Failed
Please contact the administrator for further assistance
Error code: -1
Display
Description
User has not been provisioned for GlobalProtect VPN use. Please refer to KB0016161 for more details about affiliation
Resolution
User's account credentials must have the proper affiliation and be provisioned through standard Penn State onboarding for authentication to GlobalProtect VPN.
Open or reassign a SNow Incident to IT Service Desk for further assistance verifying affiliation
Connection Failed
You are not authorized to connect to GlobalProtect Portal.
Display
Description
User has not been provisioned for GlobalProtect VPN use. Please refer to KB0016161 for more details about affiliation
Resolution
User's account credentials must have the proper affiliation and be provisioned through standard Penn State onboarding for authentication to GlobalProtect VPN.
Open or reassign a SNow Incident to IT Service Desk for further assistance verifying affiliation
Authentication Failed. Enter login credentials
Error: Incorrect username or password
Display
Description
If this error is present on a Linux host, then the userid may have exceeded 5 incorrect login attempts resulting in the account being locked.
Resolution
- IT support staff: Open a ServiceNow INCIDENT ticket and assign to the "Firewall and Security Team" assignment group.
- FaST: This user id will need to be unlocked in the active member of the GPFW cluster. Device>Authentication Profile>"RADIUS-Auth-Profile-Name">unlock(click on user ID and answer prompt) example auth profile: AP_GPFW-DUO-Radius-GP-AllUsers
Connection Failed
Failed to get default route entry
Display
Description
- In the GlobalProtect Agent GPA logs, The GP client was able to identify the PANGP adapter.
(T5584) 01/25/19 12:07:58:025 Dump (3389): Adapter name: {E0504646-6C44-4B93-AB6B-FCB2F1DBE90C} (T5584) 01/25/19 12:07:58:025 Dump (3390): Adapter friendly name: Local Area Connection 2 - GlobalProtect Agent PanGps logs indicate it has received the default route and changes the registry key accordingly.
(T5584) 01/25/19 12:07:59:026 Dump ( 354): Setting routes... (T5584) 01/25/19 12:07:59:026 Dump (1865): SetRoutes(): Non-SplitTunneling. (T5584) 01/25/19 12:07:59:026 Dump (1869): SetRoutes(): Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanGPS\ExclusiveDefaultRoute is 0.
- The same PanGPS logs indicate that the route table is not updated with the entry, and it keeps failing.
(T5584) 01/25/19 12:08:09:086 Error(1897): SetRoutes: GetRouteTableEntry(10.150.16.143) failed (T5584) 01/25/19 12:08:09:086 Error( 356): Error setting routes (T5584) 01/25/19 12:08:09:086 Error( 235): ProcMonitor: SetupNetwork() failed
Resolution
- In Windows cmd, run > sc delete PanGPS >
- Remove the following key - HKEY_CURRENT_USER\Software\Palo Alto Networks
- Remove the following key - HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks
- Delete the following folder/directory - C:\Program Files\Palo Alto Networks >
- Delete the following folder C:\Users\User\AppData\Local\Palo Alto Networks
- Uninstall the 3rd party VPN softwares and other softwares which can deny the route table modification.
- Reboot
- Reinstall the GP software.
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPWeCAO
Connection Failed: Could not connect to the GlobalProtect gateway. Please contact your IT administrator
Display
Description
This error message may be presented in one of these scenarios:
- The wrong gateway is attempting to be connected to from the wrong location (e.g. "External" gateway when on-campus)
- The installation of the GlobalProtect agent did not complete correctly or has been corrupted since the original installation and a dependent resource is not available(e.g. the GlobalProtect virtual adapter)
Resolution
- Stop the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
- Disable the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Delete directories and files
- "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
- Delete Registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
- Un-install GlobalProtect
- Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
- Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
- Reboot the machine
- Reinstall GlobalProtect with admin privileges
- Confirm that WMI service is running
Connection Failed -- VPN connection could not be established. Please restart your computer to try again.
Display
Description
The PANGP Virtual Ethernet Adapter is not present. The ethernet adapter may be missing due to a corrupt or incomplete installation, or due to the ethernet adapter being removed since the GlobalProtect agent was previously installed. The PANGP Virtual Ethernet Adapter should be found at Control Panel\Network and Internet\Network Connections
Resolution
Option A - Reinstall the GlobalProtect agent overtop of the current install.
- Download and install the currently supported GlobalProtect agent version from the Penn State Software Request website
https://softwarerequest.psu.edu/ - Reboot the computer to complete the install and ensure that the normal service startup methods are invoked
- Verify that the PANGP Virtual Ethernet Adapter is now present.
Option B - Perform a manual uninstall and cleanup of the GlobalProtect agent installation.
- Stop the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
- Disable the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Delete directories and files
- "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
- Delete Registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
- Un-install GlobalProtect
- Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
- Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
- Reboot the machine
- Reinstall GlobalProtect with admin privileges
- Verify that the PANGP Virtual Ethernet Adapter is now present.
Connection Failed -- Failed to find the PANGP virtual adapter interface
Display
Description
The PanGPS service is not running, or the GlobalProtect agent install is otherwise corrupt.
Resolution
Option A - Reinstall the GlobalProtect agent overtop of the current install.
- Download and install the currently supported GlobalProtect agent version from the Penn State Software Request website
https://softwarerequest.psu.edu/ - Reboot the computer to complete the install and ensure that the normal service startup methods are invoked
Option B - Perform a manual uninstall and cleanup of the GlobalProtect agent installation.
- Stop the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
- Disable the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Delete directories and files
- "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
- Delete Registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
- Un-install GlobalProtect
- Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
- Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
- Reboot the machine
- Reinstall GlobalProtect with admin privileges
- Confirm that WMI service is running
Connection Failed -- Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.
Display
Description
This error may be presented to the user for several reasons:
- User account does not have a fine-grain affiliation that is associated with VPN access.
Resolution
- No action necessary. Access controls are working as intended. The user is attempting to access the VPN outside of normal and expected conditions. If the user is a student, then likely need to wait until semester start for their VPN access to be provisioned. Refer to KB0016161 - GlobalProtect Remote Access VPN - Choose the Correct Gateway Based on User Affiliation to determine if the user's fine-grain affiliation permits access to a GlobalProtect VPN gateway.
Connection Failed -- The virtual adapter was not set up correctly due to a delay. GlobalProtect will try again soon. If the issue persists, please restart your system.
Display
Description
Possible WMI repository corruption due to Windows 10 21H1 update
Resolution
Option A - Restart computer
Option B - Reset WMI repository
- Open command prompt with administrative credentials
- This is done by right clicking on the Command Prompt icon and selecting Run as administrator
- From command prompt, run "winmgmt /resetrepository"
- If a dependency prevents the repository reset, run "net stop winmgmt" and note any services listed as dependent
- After identifying dependent services you must stop them and then the command "winmgmt /resetrepository" can be run again
- Once the repository reset is successful then proceed to the next step
- Reboot computer
- Connect to the PSU VPN via GlobalProtect agent
Addtitional Resources: Feedback from the College of Engineering IT Staff indicated that these two options did not work for a related incident that one of their users encountered. Temporary KB0019166 has been created to provide links to other documentation that may assist in resolving this particular issue.
Connection Failed -- The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect
Display
Description
The user's computer is not able to reach the gateway. This may be due to several reason, but is likely an issue with the user's home network or ISP.
Consider investigating these specific items to identify and resolve the issue.
- The user's computer is configured to use a proxy server that is not permitting the communication to the GlobalProtect gateway
- The user's home network router may be filtering or blocking the needed IPSec communications to the GlobalProtect gateway.
Resolution
Option A - Check Windows Services
Verify that the "PanGPS" and "Windows Management Instrumentation" services are set to Automatic with status of Running
Option B - Check for other conflicts with network traffic
Identify and remove the system, device, or configuration that is preventing the flow of the IPSec communications.
Connection Failed -- The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect
Display
Description
The user's computer is not able to reach the portal. This may be due to several reason, but is likely an issue with the user's home network or ISP.
Consider investigating these specific items to identify and resolve the issue.
- The user's computer is configured to use a proxy server that is not permitting the communication to the GlobalProtect portal
- The user's home network router may be filtering or blocking the needed IPSec communications to the GlobalProtect portal.
- The user's computer may have manual route entries in a host table or other similar manual routes that are not automatically updated to resolve to the current portal IP address.
Resolution
Option A - Check Windows Services
Verify that the "PanGPS" and "Windows Management Instrumentation" services are set to Automatic with status of Running
Option B - Check for other conflicts with network traffic
Identify and remove the system, device, or configuration that is preventing the flow of the IPSec communications.
Connection Failed -- Failed to verify certificate
Display
Description
The user is able to successfully authenticate and connect to the GlobalProtect (GP) Portal. However, after retrieving the latest configuration from the portal, the GP agent is unable to establish a VPN tunnel to the GlobalProtect gateway. Because of a cached portal configurations, the user may not even be presented with a login prompt. Regardless, the same "Failed to verify certificate" error message will be presented to the user.
A network-based system or software installed on the affected computer is intercepting the SSL certificate from the GP gateway, which is intended to be used by the GP agent, and preventing a successful connection to the gateway. The SSL interception is likely not a malicious action, rather a by-product of a security software agent or enterprise security service at the user's local network. These cases are not uncommon for enterprise networks and enterprise managed computers.
Resolution
The GP agent log bundle will contain information about the device/service that has intercepted the SSL certificate. The Cyber Network Defense group can analyze this log bundle to help identify the conflicting system.
1. Place the GP agent logging to the "Dump" Logging level - KB0017942: How do I change the GlobalProtect agent logging level?
2. Attempt a connection to the GP gateway, wait until the Failed to verify certificate error message is observed.
3. Collect the GP agent log bundle - KB0016086: How do I collect the GlobalProtect agent log bundle?
4. Open a new ServiceNow Incident and assign to "Firewall and Security Team" assignment group. Attach the log bundle to the ticket.
Connection Failed -- Could not connect to the GlobalProtect service
Display
Description
The issue has been observed on both Mac and Windows computers and is caused by a corrupted installation or software that interferes or prevents the PanGPS service from starting on the computer.
Resolution
The primary way to resolve the issue is to uninstall and reinstall the GlobalProtect agent software on the computer.
Option A - Reinstall the GlobalProtect agent.
- Download the currently supported GlobalProtect agent version from the Penn State Software Request website
https://softwarerequest.psu.edu/ - Run the installer and select the option to uninstall the software.
- Reboot the computer then run the installer again selecting the option to install the software
- For Mac computers be sure to select the option to enable system extensions for GlobalProtect
- For Windows computers verify the "PanGPS" and "Windows Management Instrumentation" services are running with startup type set to automatic
Option B - Check the computer for any software that may be preventing startup applications.
- Performance enhancing software is sometimes used to control startup applications
- Antivirus or Malware software may also prevent applications from running at startup
- Verify that Palo Alto Networks is enabled to run in "Login Items" under System Settings -- General
Connecting... -- Still Working...
Display
Description
The "PanGPS" service did not start correctly, or the installation was not successful.
Resolution
Manually start the "PanGPS" service on a Windows computer. If the service is already running or is not able to be manually started, then the GlobalProtect VPN agent must be reinstalled. Be sure to uninstall the GlobalProtect agent, reboot the computer, install the GlobalProtect agent, then reboot the computer again.
The latest PSU preferred GlobalProtect VPN agent can be downloaded from softwarerequest.psu.edu
Web Login Service - Stale Request
Display
Description
The GlobalProtect Remote Access VPN utilizes Penn State's WebAccess system for authentication. The authentication workflow loads the WebAccess authentication page into a browser kiosk-mode window. The connection to the WebAccess login page is initiated from the computer's network interfaces. This traffic is not redirected through, tunneled through, or initiated from the GlobalProtect VPN systems. So, issues connecting to WebAccess are in the path between the originating computer and the WebAccess system located in Penn State's University Park or Hershey Data Centers.
Resolution
- Verify that there are no local browser or system issues on the originating computer
- Ensure the ability to load https://webaccess.psu.edu in a web-browser, and authenticate with PSU credentials including Microsoft MFA.
- Ensure the ability to load https://login.microsoftonline.com in a web-browser. Enter PSU username in format of userid@psu.edu (ex. abc123@psu.edu) and ensure that the page redirects to webaccess.psu.edu
- Verify no local LAN, WiFi, or ISP connectivity issues are present on the originating computer side of the connection. (ping, MTR, Win-MTR, etc. to various Internet destinations)
- Verify a reliable and error-free Internet path is available from the originating computer to Penn State's network.(ping, MTR, Win-MTR, etc. to vpn.psu.edu)
Script Error - An error has occurred in the script on this page.
Display
Description
The GlobalProtect installer for Windows operating systems includes a browser built-in to the agent to display the PSU WebAccess authentication page. This browser uses Window's Internet Explorer settings, cache, cookies, etc.
The URL shown in the above screenshot may differ to other user's Script Error message
Resolution
Clear the cache in the Internet Explorer browser
- Launch the Internet Explorer browser application
- Open Settings > Internet Options > General tab
- Select Delete... from the Browsing history section
- Unselect Preserve Favorites website data
- Select Temporary Internet files and websites files
- Select Cookies and website data
- Choose Delete at the bottom of the Delete Browsing History window
- Close Internet Explorer, then restart the GlobalProtect connection process
Blank "GlobalProtect Login" window
Display
Description
When attempting to login and connect to the GlobalProtect VPN, a blank "GlobalProtect Login" window is presented to the user instead of the expected WebSSO page.
Resolution
Ensure that JavaScript is enabled in the OS vendor's default browser.(e.g. Internet Explorer or Safari)
Windows:
- Open Internet Explorer
- Navigate to Settings>Internet Options>Security>Custom level...
- Scroll down to the Scripting section
- Select Enable for Active scripting
- Click OK. Then click Yes when prompted Are you sure you want to change the settings for this zone?
- Click OK to close the Internet Options window
macOS:
- Open the Safari web-browser
- Open Safari's preferences
- Navigate to the Security tab
- click to Enable JavaScript at the Web content field
Mac: Reoccurring requests to enter password
Description
When a user attempts to sign-in they are prompted for their password in a continuous loop
Resolution
Update Safari and Reboot computer:
- From the Apple menu in the corner of your screen, choose System Preferences.
- Click Software Update.
- Click Update Now or Upgrade Now:
- Update Now installs the latest updates for the currently installed version.
- Upgrade Now installs a major new version with a new name, such as macOS Big Sur.
Looks like something went wrong. Please wait a few minutes and try again. If the problem persists, contact your IT help desk.
Display
Description
When using the GlobalProtect VPN app on the same Android device that is also receiving Microsoft MFA Security push notifications, sometimes the VPN connection fails with the message Looks like something went wrong. Please wait a few minutes and try again. If the problem persists, contact your IT help desk.
Resolution
Do not navigate away from the GlobalProtect VPN application to accept the Microsoft MFA Security push notification. Instead, pull down the Microsoft MFA Security push notification from the Notification Bar, then click Approve. Do not click the Microsoft MFA Security push notification to open the Microsoft MFA Security App.
Authentication prompt is for another organization other than Penn State
Display
Description
When using the GlobalProtect VPN agent on a Windows computer using accounts for more than just PSU, sometimes the VPN does not present the PSU authentication window and only shows the other organization authentication window.
Resolution
PSU credentials should be listed under Accounts --- Access work or school. If needed remove other organizations and add the PSU account here.
If multiple user accounts or the wrong user accounts are configured under the user profile for "Access School or Work" this will cause GlobalProtect to select an account to attempt to connect for SSO. If GlobalProtect is selecting the wrong account then you may need to remove the additional accounts and only leave the PSU account for GlobalProtect to connect with the appropriate login prompt for PSU. Refer to KB0017503 - GlobalProtect Remote Access VPN - Why can't I change the GlobalProtect login user name? for specific instruction on the steps to check the settings.
How to Get Help with the GlobalProtect Remote Access VPN
If you have questions or experience any difficulties, use any of the following methods to contact the IT Service Desk for help:
- Visit the IT Help Portal
- Call us at 814-865-HELP (4357)
- Email us at ITservicedesk@psu.edu