This site requires JavaScript to be enabled
An updated version of this article is available

GlobalProtect Remote Access VPN - Known Issues, Errors, and Resolutions

10825 views

66.0 - Updated on 11-25-2024 by Eric Taylor (elt143)

65.0 - Updated on 06-03-2024 by Eric Taylor (elt143)

64.0 - Updated on 05-30-2024 by Eric Taylor (elt143)

63.0 - Updated on 05-10-2024 by Tom Bayly (txb151)

62.0 - Updated on 04-29-2024 by Eric Taylor (elt143)

61.0 - Updated on 04-04-2024 by Eric Taylor (elt143)

60.0 - Updated on 09-28-2023 by Eric Taylor (elt143)

59.0 - Updated on 09-17-2023 by Eric Taylor (elt143)

58.0 - Updated on 06-01-2023 by Eric Taylor (elt143)

57.0 - Updated on 05-24-2023 by Eric Taylor (elt143)

56.0 - Updated on 05-04-2023 by Tom Bayly (txb151)

55.0 - Updated on 02-21-2023 by Tom Bayly (txb151)

54.0 - Updated on 01-03-2023 by Eric Taylor (elt143)

53.0 - Updated on 01-03-2023 by Eric Taylor (elt143)

52.0 - Updated on 12-12-2022 by Eric Taylor (elt143)

51.0 - Updated on 11-15-2022 by Eric Taylor (elt143)

50.0 - Updated on 10-31-2022 by Kevin M (kbm2)

49.0 - Updated on 10-18-2022 by Eric Taylor (elt143)

48.0 - Updated on 08-01-2022 by Eric Taylor (elt143)

47.0 - Updated on 07-28-2022 by Eric Taylor (elt143)

46.0 - Updated on 07-15-2022 by Tom Bayly (txb151)

45.0 - Updated on 04-13-2022 by Michael Giornesto (mcg12)

44.0 - Updated on 04-12-2022 by Michael Giornesto (mcg12)

43.0 - Updated on 04-12-2022 by Michael Giornesto (mcg12)

42.0 - Updated on 04-06-2022 by Penny Hockenberry (pqb4)

41.0 - Updated on 02-14-2022 by Gregory Fox (gdf24)

40.0 - Updated on 02-07-2022 by Michael Giornesto (mcg12)

39.0 - Updated on 02-07-2022 by Edward Wilson (emw10)

38.0 - Updated on 02-04-2022 by Edward Wilson (emw10)

37.0 - Updated on 12-02-2021 by Michael Giornesto (mcg12)

36.0 - Updated on 12-02-2021 by Michael Giornesto (mcg12)

35.0 - Updated on 12-02-2021 by Michael Giornesto (mcg12)

34.0 - Updated on 11-08-2021 by Michael Giornesto (mcg12)

33.0 - Updated on 11-08-2021 by Michael Giornesto (mcg12)

32.0 - Updated on 09-21-2021 by Michael Giornesto (mcg12)

31.0 - Updated on 08-27-2021 by Michael Giornesto (mcg12)

30.0 - Updated on 07-23-2021 by Michael Giornesto (mcg12)

29.0 - Updated on 06-29-2021 by Ian Sproat (ixs33)

28.0 - Updated on 06-21-2021 by Gregory Fox (gdf24)

27.0 - Updated on 06-18-2021 by Tom Bayly (txb151)

26.0 - Updated on 06-15-2021 by Michael Giornesto (mcg12)

25.0 - Updated on 06-08-2021 by Michael Giornesto (mcg12)

24.0 - Updated on 06-07-2021 by Michael Giornesto (mcg12)

23.0 - Updated on 05-26-2021 by Michael Giornesto (mcg12)

22.0 - Updated on 05-25-2021 by Michael Giornesto (mcg12)

21.0 - Updated on 05-18-2021 by Michael Giornesto (mcg12)

20.0 - Updated on 05-12-2021 by Michael Giornesto (mcg12)

19.0 - Updated on 04-20-2021 by Michael Giornesto (mcg12)

18.0 - Updated on 04-14-2021 by Michael Giornesto (mcg12)

17.0 - Updated on 04-13-2021 by Michael Giornesto (mcg12)

16.0 - Updated on 04-06-2021 by Michael Giornesto (mcg12)

15.0 - Updated on 03-26-2021 by Michael Giornesto (mcg12)

Note to authors: Formatting for this article is partially defined/set in a <style> element in the HTML of the main section. (This note is automatically hidden when published [but portions may still appear in search results].)

Article Intended For

IT Staff involved in supporting users of the GlobalProtect Remote Access VPN Service.

Introduction

This article documents possible errors that may be presented to users of the GlobalProtect Remote Access VPN service, as well as provide a resolution when possible.  If you are unable to find the specific error in this KB article, please try the steps in the below table.

For more information about GlobalProtect, and a list of related articles, see KB0013431, GlobalProtect Remote Access VPN - Overview.

Windows MacOS

If client is not at the latest version, Upgrade the client

If client is not at the latest version, Upgrade the client

Remove .dat files

Verify Host-based Firewall allows GP communications

Reboot

Privacy settings for GP

Verify GP Adapter exists in control panel/network

Remove .dat files

Check for additional VPN adapters that may be conflicting with GP

Reboot

Confirm Pan service is running

Verify system extensions are installed

command prompt, run "winmgmt /resetrepository" and reboot

Make sure Safari is up to date

Try ssl

Try ssl

Uninstall/reboot/reinstall client

Uninstall/reboot/reinstall client

 

Must have anti-virus software with real-time protection installed.  Recommendations to install https://security.psu.edu/education-training/anti-virus/

If the above steps are unsuccessful, please attach the GP logs to the ticket and provide all details prior to escalating.

Article Body

Click on an error message below to jump to the associated description and other information:

Authentication Failed
Please contact the administrator for further assistance
Error code: -1

Display

Image of Error:  Authentication Failed, Please contact the administrator for further assistance. Error code -1.png

Description

User has not been provisioned by their local Unit IT for GlobalProtect VPN use. 

Resolution

User's local IT Unit must provision the user in the Unit's appropriate EAD security group for authentication to GlobalProtect VPN.

Open or reassign a SNow Incident to user's local Unit IT Assignment Group

Connection Failed
You are not authorized to connect to GlobalProtect Portal.

Display

Image of GlobalProtect agent error: Connection Failed, You are not authorized to connect to GlobalProtect Portal

Description

User has not been provisioned by their local Unit IT for GlobalProtect VPN use. 

Resolution

User's local IT Unit must provision the user in the Unit's appropriate EAD security group for authentication to GlobalProtect VPN.

Open or reassign a SNow Incident to user's local Unit IT Assignment Group

Authentication Failed.  Enter login credentials
Error: Incorrect username or password

Display

ERROR IMAGE_Authentication Failed-Enter login credentials_Error-Incorrect username or password.png

Description

If this error is present on a Linux host, then the userid may have exceeded 5 incorrect login attempts resulting in the account being locked. 

Resolution

Connection Failed
Failed to get default route entry

Display

Image of GlobalProtect VPN agent error: Connection Failed, Failed to get default route entry

Description
Resolution
  1. In Windows cmd, run > sc delete PanGPS >
  2. Remove the following key - HKEY_CURRENT_USER\Software\Palo Alto Networks
  3. Remove the following key - HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks
  4. Delete the following folder/directory - C:\Program Files\Palo Alto Networks >
  5. Delete the following folder C:\Users\User\AppData\Local\Palo Alto Networks
  6. Uninstall the 3rd party VPN softwares and other softwares which can deny the route table modification.
  7. Reboot
  8. Reinstall the GP software.

Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPWeCAO

Connection Failed: Could not connect to the GlobalProtect gateway.  Please contact your IT administrator

Display

Connection Failed - Could not connect to the GlobalProtect gateway.  Please contact your IT administrator.

Description

This error message may be presented in one of these scenarios:

  1.  The wrong gateway is attempting to be connected to from the wrong location (e.g. "Faculty/Staff" or "Student" gateway when on-campus)
  2.  The installation of the GlobalProtect agent did not complete correctly or has been corrupted since the original installation and a dependent resource is not available(e.g. the GlobalProtect virtual adapter)
Resolution
  1. Stop the Windows Management Instrumentation (WMI) service
    • Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
  2. Disable the Windows Management Instrumentation (WMI) service
    • Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
  3. Delete directories and files
    • "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
  4. Delete Registry entries:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
    • HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
    • HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
  5. Un-install GlobalProtect
    • Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
  6. Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
  7. Reboot the machine
  8. Reinstall GlobalProtect with admin privileges
  9. Confirm that WMI service is running

Connection Failed -- VPN connection could not be established.  Please restart your computer to try again.

Display

Connection Failed - VPN connection could not be established.  Please restart your computer to try again.

Description

The PANGP Virtual Ethernet Adapter is not present.  The ethernet adapter may be missing due to a corrupt or incomplete installation, or due to the ethernet adapter being removed since the GlobalProtect agent was previously installed.  The PANGP Virtual Ethernet Adapter should be found at Control Panel\Network and Internet\Network Connections

Resolution

Option A - Reinstall the GlobalProtect agent overtop of the current install.

  1. Download and install the currently supported GlobalProtect agent version from the Penn State Software Request website
    https://softwarerequest.psu.edu/
  2. Reboot the computer to complete the install and ensure that the normal service startup methods are invoked
  3. Verify that the PANGP Virtual Ethernet Adapter is now present.

 

Option B - Perform a manual uninstall and cleanup of the GlobalProtect agent installation.

  1. Stop the Windows Management Instrumentation (WMI) service
    • Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
  2. Disable the Windows Management Instrumentation (WMI) service
    • Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
  3. Delete directories and files
    • "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
  4. Delete Registry entries:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
    • HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
    • HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
  5. Un-install GlobalProtect
    • Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
  6. Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
  7. Reboot the machine
  8. Reinstall GlobalProtect with admin privileges
  9. Verify that the PANGP Virtual Ethernet Adapter is now present.

Connection Failed -- Failed to find the PANGP virtual adapter interface

Display

Connection Failed - Failed to find the PANGP virtual adapter interface.png

Description

The PanGPS service is not running, or the GlobalProtect agent install is otherwise corrupt.

Resolution

Option A - Reinstall the GlobalProtect agent overtop of the current install.

  1. Download and install the currently supported GlobalProtect agent version from the Penn State Software Request website
    https://softwarerequest.psu.edu/
  2. Reboot the computer to complete the install and ensure that the normal service startup methods are invoked

 

Option B - Perform a manual uninstall and cleanup of the GlobalProtect agent installation.

  1. Stop the Windows Management Instrumentation (WMI) service
    • Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
  2. Disable the Windows Management Instrumentation (WMI) service
    • Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
  3. Delete directories and files
    • "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
  4. Delete Registry entries:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
    • HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
    • HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
  5. Un-install GlobalProtect
    • Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
  6. Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
  7. Reboot the machine
  8. Reinstall GlobalProtect with admin privileges
  9. Confirm that WMI service is running

Connection Failed -- Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.

Display

Connection Failed -- Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator image

Description

Investigating

Resolution

TBD

Connection Failed -- The virtual adapter was not set up correctly due to a delay.  GlobalProtect will try again soon.  If the issue persists, please restart your system.

Display

Connection Failed -- Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator image

Description

Possible WMI repository corruption due to Windows 10 21H1 update

 

Resolution

Option A - Restart computer

 

Option B - Reset WMI repository

  1. Open command prompt with administrative credentials
  2. From command prompt, run "winmgmt /resetrepository"
  3. Reboot computer
  4. Connect to the PSU VPN via GlobalProtect agent

***This solution has very limited exposure.  Please contact firewall-team@psu.edu if you utilize this solution, either successfully or not, as we would like to keep our content accurate and up to date.

Connection Failed -- The network connection is unreachable or the gateway is unresponsive.  Check the network connection and reconnect

Display

Description

The user's computer is not able to reach the gateway.  This may be due to several reason, but is likely an issue with the user's home network or ISP.

Consider investigating these specific items to identify and resolve the issue.

Resolution

Identify and remove the system, device, or configuration that is preventing the flow of the IPSec communications.

Connection Failed -- Failed to verify certificate

Display

Connection-Failed_Failed-to-verify-certificate.png

Description

The user is able to successfully authenticate and connect to the GlobalProtect (GP) Portal.  However, after retrieving the latest configuration from the portal, the GP agent is unable to establish a VPN tunnel to the GlobalProtect gateway.  Because of a cached portal configurations, the user may not even be presented with a login prompt.  Regardless, the same "Failed to verify certificate" error message will be presented to the user.

A network-based system or software installed on the affected computer is intercepting the SSL certificate from the GP gateway, which is intended to be used by the GP agent, and preventing a successful connection to the gateway.  The SSL interception is likely not a malicious action, rather a by-product of a security software agent or enterprise security service at the user's local network.  These cases are not uncommon for enterprise networks and enterprise managed computers. 

Resolution

The GP agent log bundle will contain information about the device/service that has intercepted the SSL certificate. The Cyber Network Defense group can analyze this log bundle to help identify the conflicting system.

1.  Place the GP agent logging to the "Dump" Logging level - KB0017942: How do I change the GlobalProtect agent logging level?

2. Attempt a connection to the GP gateway, wait until the Failed to verify certificate error message is observed.

3.  Collect the GP agent log bundle - KB0016086: How do I collect the GlobalProtect agent log bundle?

4.  Open a new ServiceNow Incident and assign to "Firewall and Security Team" assignment group.  Attach the log bundle to the ticket.

Connecting...  --  Still Waiting...

Display

Connecting... Still Working...

Description

The "PanGPS" service did not start correctly, or the installation was not successful.

Resolution

Manually start the "PanGPS" service on a Windows computer.  If the service is already running or is not able to be manually started, then the GlobalProtect VPN agent must be reinstalled.  Be sure to uninstall the GlobalProtect agent, reboot the computer, install the GlobalProtect agent, then reboot the computer again.

The latest PSU preferred GlobalProtect VPN agent can be downloaded from softwarerequest.psu.edu

Web Login Service - Stale Request

Display

Web Login Service - Stale Request

Description

The GlobalProtect Remote Access VPN utilizes Penn State's WebAccess system for authentication.  The authentication workflow loads the WebAccess authentication page into a browser kiosk-mode window. The connection to the WebAccess login page is initiated from the computer's network interfaces.  This traffic is not redirected through, tunneled through, or initiated from the GlobalProtect VPN systems.  So, issues connecting to WebAccess are in the path between the originating computer and the WebAccess system located in Penn State's University Park or Hershey Data Centers.

Resolution

Script Error - An error has occurred in the script on this page.

Display

Script Error - An error has occurred in the script on this page.

Description

The GlobalProtect installer for Windows operating systems includes a browser built-in to the agent to display the PSU WebAccess authentication page.  This browser uses Window's Internet Explorer settings, cache, cookies, etc. 

The URL shown in the above screenshot may differ to other user's Script Error message

Resolution

Clear the cache in the Internet Explorer browser

Blank "GlobalProtect Login" window

Display

Screenshot of a Blank GlobalProtect Login window

Description

When attempting to login and connect to the GlobalProtect VPN, a blank "GlobalProtect Login" window is presented to the user instead of the expected WebSSO page.

Resolution

Ensure that JavaScript is enabled in the OS vendor's default browser.(e.g. Internet Explorer or Safari)

Windows: 

macOS:

Mac: Reoccurring requests to enter password

Description

When a user attempts to sign-in they are prompted for their password in a continuous loop

Resolution

Update Safari and Reboot computer:

  1. From the Apple menu in the corner of your screen, choose System Preferences.
  2. Click Software Update.
  3. Click Update Now or Upgrade Now:
    • Update Now installs the latest updates for the currently installed version.
    • Upgrade Now installs a major new version with a new name, such as macOS Big Sur.

How to Get Help with the GlobalProtect Remote Access VPN

If you have questions or experience any difficulties, use any of the following methods to contact the IT Service Desk for help: