Article Intended For
IT Staff involved in supporting users of the GlobalProtect Remote Access VPN Service.
Introduction
This article documents possible errors that may be presented to users of the GlobalProtect Remote Access VPN service, as well as provide a resolution when possible. If you are unable to find the specific error in this KB article, please try the steps in the below table.
For more information about GlobalProtect, and a list of related articles, see KB0013431, GlobalProtect Remote Access VPN - Overview.
Windows | MacOS |
If client is not at the latest version, Upgrade the client |
If client is not at the latest version, Upgrade the client |
Remove .dat files |
Verify Host-based Firewall allows GP communications |
Reboot |
Privacy settings for GP |
Verify GP Adapter exists in control panel/network |
Remove .dat files |
Check for additional VPN adapters that may be conflicting with GP |
Reboot |
Confirm Pan service is running |
Verify system extensions are installed |
command prompt, run "winmgmt /resetrepository" and reboot |
Make sure Safari is up to date |
Try ssl |
Try ssl |
Uninstall/reboot/reinstall client |
Uninstall/reboot/reinstall client |
|
Must have anti-virus software with real-time protection installed. Recommendations to install https://security.psu.edu/education-training/anti-virus/ |
If the above steps are unsuccessful, please attach the GP logs to the ticket and provide all details prior to escalating.
Article Body
Click on an error message below to jump to the associated description and other information:
- Authentication Failed -- Please contact the administrator for further assistance, Error code: -1
- Connection Failed -- You are not authorized to connect to GlobalProtect Portal.
- Authentication Failed -- Enter login credentials, Error -- Incorrect username or password
- Connection Failed -- Failed to get default route entry
- Connection Failed -- Could not connect to the GlobalProtect gateway. Please contact your IT administrator
- Connection Failed -- VPN connection could not be established. Please restart your computer to try again.
- Connection Failed -- Failed to find the PANGP virtual adapter interface
- Connection Failed -- Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.
- Connection Failed -- The virtual adapter was not set up correctly due to a delay. GlobalProtect will try again soon. If the issue persists, please restart your system.
- Connection Failed -- The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect
- Connection Failed -- Failed to verify certificate
- Connecting... -- Still Working...
- Web Login Service - Stale Request
- Script Error - An error has occurred in the script on this page.
- Blank "GlobalProtect Login" window
- Mac: Reoccuring requests to enter password
Authentication Failed
Please contact the administrator for further assistance
Error code: -1
Display
Description
User has not been provisioned by their local Unit IT for GlobalProtect VPN use.
Resolution
User's local IT Unit must provision the user in the Unit's appropriate EAD security group for authentication to GlobalProtect VPN.
Open or reassign a SNow Incident to user's local Unit IT Assignment Group
Connection Failed
You are not authorized to connect to GlobalProtect Portal.
Display
Description
User has not been provisioned by their local Unit IT for GlobalProtect VPN use.
Resolution
User's local IT Unit must provision the user in the Unit's appropriate EAD security group for authentication to GlobalProtect VPN.
Open or reassign a SNow Incident to user's local Unit IT Assignment Group
Authentication Failed. Enter login credentials
Error: Incorrect username or password
Display
Description
If this error is present on a Linux host, then the userid may have exceeded 5 incorrect login attempts resulting in the account being locked.
Resolution
- IT support staff: Open a ServiceNow INCIDENT ticket and assign to the "Firewall and Security Team" assignment group.
- FaST: This user id will need to be unlocked in the active member of the GPFW cluster. Device>Authentication Profile>"RADIUS-Auth-Profile-Name">unlock(click on user ID and answer prompt) example auth profile: AP_GPFW-DUO-Radius-GP-AllUsers
Connection Failed
Failed to get default route entry
Display
Description
- In the GlobalProtect Agent GPA logs, The GP client was able to identify the PANGP adapter.
(T5584) 01/25/19 12:07:58:025 Dump (3389): Adapter name: {E0504646-6C44-4B93-AB6B-FCB2F1DBE90C} (T5584) 01/25/19 12:07:58:025 Dump (3390): Adapter friendly name: Local Area Connection 2
- GlobalProtect Agent PanGps logs indicate it has received the default route and changes the registry key accordingly.
(T5584) 01/25/19 12:07:59:026 Dump ( 354): Setting routes... (T5584) 01/25/19 12:07:59:026 Dump (1865): SetRoutes(): Non-SplitTunneling. (T5584) 01/25/19 12:07:59:026 Dump (1869): SetRoutes(): Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanGPS\ExclusiveDefaultRoute is 0.
- The same PanGPS logs indicate that the route table is not updated with the entry, and it keeps failing.
(T5584) 01/25/19 12:08:09:086 Error(1897): SetRoutes: GetRouteTableEntry(10.150.16.143) failed (T5584) 01/25/19 12:08:09:086 Error( 356): Error setting routes (T5584) 01/25/19 12:08:09:086 Error( 235): ProcMonitor: SetupNetwork() failed
Resolution
- In Windows cmd, run > sc delete PanGPS >
- Remove the following key - HKEY_CURRENT_USER\Software\Palo Alto Networks
- Remove the following key - HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks
- Delete the following folder/directory - C:\Program Files\Palo Alto Networks >
- Delete the following folder C:\Users\User\AppData\Local\Palo Alto Networks
- Uninstall the 3rd party VPN softwares and other softwares which can deny the route table modification.
- Reboot
- Reinstall the GP software.
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPWeCAO
Connection Failed: Could not connect to the GlobalProtect gateway. Please contact your IT administrator
Display
Description
This error message may be presented in one of these scenarios:
- The wrong gateway is attempting to be connected to from the wrong location (e.g. "Faculty/Staff" or "Student" gateway when on-campus)
- The installation of the GlobalProtect agent did not complete correctly or has been corrupted since the original installation and a dependent resource is not available(e.g. the GlobalProtect virtual adapter)
Resolution
- Stop the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
- Disable the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Delete directories and files
- "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
- Delete Registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
- Un-install GlobalProtect
- Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
- Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
- Reboot the machine
- Reinstall GlobalProtect with admin privileges
- Confirm that WMI service is running
Connection Failed -- VPN connection could not be established. Please restart your computer to try again.
Display
Description
The PANGP Virtual Ethernet Adapter is not present. The ethernet adapter may be missing due to a corrupt or incomplete installation, or due to the ethernet adapter being removed since the GlobalProtect agent was previously installed. The PANGP Virtual Ethernet Adapter should be found at Control Panel\Network and Internet\Network Connections
Resolution
Option A - Reinstall the GlobalProtect agent overtop of the current install.
- Download and install the currently supported GlobalProtect agent version from the Penn State Software Request website
https://softwarerequest.psu.edu/ - Reboot the computer to complete the install and ensure that the normal service startup methods are invoked
- Verify that the PANGP Virtual Ethernet Adapter is now present.
Option B - Perform a manual uninstall and cleanup of the GlobalProtect agent installation.
- Stop the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
- Disable the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Delete directories and files
- "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
- Delete Registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
- Un-install GlobalProtect
- Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
- Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
- Reboot the machine
- Reinstall GlobalProtect with admin privileges
- Verify that the PANGP Virtual Ethernet Adapter is now present.
Connection Failed -- Failed to find the PANGP virtual adapter interface
Display
Description
The PanGPS service is not running, or the GlobalProtect agent install is otherwise corrupt.
Resolution
Option A - Reinstall the GlobalProtect agent overtop of the current install.
- Download and install the currently supported GlobalProtect agent version from the Penn State Software Request website
https://softwarerequest.psu.edu/ - Reboot the computer to complete the install and ensure that the normal service startup methods are invoked
Option B - Perform a manual uninstall and cleanup of the GlobalProtect agent installation.
- Stop the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Service Status: Stop
- Disable the Windows Management Instrumentation (WMI) service
- Control Panel\System and Security\Administrative Tools\Services\Windows Management Instrumentation > Startup Type: Disable
- Delete directories and files
- "C:\Windows\System32\wbem\Repository" > delete all files contained in this directory
- Delete Registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect
- HKEY_USERS\ <ALL-REGISTRY-KEYS> \SOFTWARE\Palo Alto Networks\GlobalProtect
- Un-install GlobalProtect
- Control Panel\Programs\Programs and Features>GlobalProtect>Uninstall
- Make sure that the virtual adapter in not present in the Network adapter settings - Control Panel\Network and Internet\Network Connections
- Reboot the machine
- Reinstall GlobalProtect with admin privileges
- Confirm that WMI service is running
Connection Failed -- Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.
Display
Description
Investigating
Resolution
TBD
Connection Failed -- The virtual adapter was not set up correctly due to a delay. GlobalProtect will try again soon. If the issue persists, please restart your system.
Display
Description
Possible WMI repository corruption due to Windows 10 21H1 update
Resolution
Option A - Restart computer
Option B - Reset WMI repository
- Open command prompt with administrative credentials
- From command prompt, run "winmgmt /resetrepository"
- Reboot computer
- Connect to the PSU VPN via GlobalProtect agent
***This solution has very limited exposure. Please contact firewall-team@psu.edu if you utilize this solution, either successfully or not, as we would like to keep our content accurate and up to date.
Connection Failed -- The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect
Display
Description
The user's computer is not able to reach the gateway. This may be due to several reason, but is likely an issue with the user's home network or ISP.
Consider investigating these specific items to identify and resolve the issue.
- The user's computer is configured to use a proxy server that is not permitting the communication to the GlobalProtect gateway
- The user's home network router may be filtering or blocking the needed IPSec communications to the GlobalProtect gateway.
Resolution
Identify and remove the system, device, or configuration that is preventing the flow of the IPSec communications.
Connection Failed -- Failed to verify certificate
Display
Description
The user is able to successfully authenticate and connect to the GlobalProtect (GP) Portal. However, after retrieving the latest configuration from the portal, the GP agent is unable to establish a VPN tunnel to the GlobalProtect gateway. Because of a cached portal configurations, the user may not even be presented with a login prompt. Regardless, the same "Failed to verify certificate" error message will be presented to the user.
A network-based system or software installed on the affected computer is intercepting the SSL certificate from the GP gateway, which is intended to be used by the GP agent, and preventing a successful connection to the gateway. The SSL interception is likely not a malicious action, rather a by-product of a security software agent or enterprise security service at the user's local network. These cases are not uncommon for enterprise networks and enterprise managed computers.
Resolution
The GP agent log bundle will contain information about the device/service that has intercepted the SSL certificate. The Cyber Network Defense group can analyze this log bundle to help identify the conflicting system.
1. Place the GP agent logging to the "Dump" Logging level - KB0017942: How do I change the GlobalProtect agent logging level?
2. Attempt a connection to the GP gateway, wait until the Failed to verify certificate error message is observed.
3. Collect the GP agent log bundle - KB0016086: How do I collect the GlobalProtect agent log bundle?
4. Open a new ServiceNow Incident and assign to "Firewall and Security Team" assignment group. Attach the log bundle to the ticket.
Connecting... -- Still Waiting...
Display
Description
The "PanGPS" service did not start correctly, or the installation was not successful.
Resolution
Manually start the "PanGPS" service on a Windows computer. If the service is already running or is not able to be manually started, then the GlobalProtect VPN agent must be reinstalled. Be sure to uninstall the GlobalProtect agent, reboot the computer, install the GlobalProtect agent, then reboot the computer again.
The latest PSU preferred GlobalProtect VPN agent can be downloaded from softwarerequest.psu.edu
Web Login Service - Stale Request
Display
Description
The GlobalProtect Remote Access VPN utilizes Penn State's WebAccess system for authentication. The authentication workflow loads the WebAccess authentication page into a browser kiosk-mode window. The connection to the WebAccess login page is initiated from the computer's network interfaces. This traffic is not redirected through, tunneled through, or initiated from the GlobalProtect VPN systems. So, issues connecting to WebAccess are in the path between the originating computer and the WebAccess system located in Penn State's University Park or Hershey Data Centers.
Resolution
- Verify that there are no local browser or system issues on the originating computer
- Ensure the ability to load https://webaccess.psu.edu in a web-browser, and authenticate with PSU credentials including DUO 2FA.
- Ensure the ability to load https://login.microsoftonline.com in a web-browser. Enter PSU username in format of userid@psu.edu (ex. abc123@psu.edu) and ensure that the page redirects to webaccess.psu.edu
- Verify no local LAN, WiFi, or ISP connectivity issues are present on the originating computer side of the connection. (ping, MTR, Win-MTR, etc. to various Internet destinations)
- Verify a reliable and error-free Internet path is available from the originating computer to Penn State's network.(ping, MTR, Win-MTR, etc. to secure-connect.psu.edu)
Script Error - An error has occurred in the script on this page.
Display
Description
The GlobalProtect installer for Windows operating systems includes a browser built-in to the agent to display the PSU WebAccess authentication page. This browser uses Window's Internet Explorer settings, cache, cookies, etc.
The URL shown in the above screenshot may differ to other user's Script Error message
Resolution
Clear the cache in the Internet Explorer browser
- Launch the Internet Explorer browser application
- Open Settings > Internet Options > General tab
- Select Delete... from the Browsing history section
- Unselect Preserve Favorites website data
- Select Temporary Internet files and websites files
- Select Cookies and website data
- Choose Delete at the bottom of the Delete Browsing History window
- Close Internet Explorer, then restart the GlobalProtect connection process
Blank "GlobalProtect Login" window
Display
Description
When attempting to login and connect to the GlobalProtect VPN, a blank "GlobalProtect Login" window is presented to the user instead of the expected WebSSO page.
Resolution
Ensure that JavaScript is enabled in the OS vendor's default browser.(e.g. Internet Explorer or Safari)
Windows:
- Open Internet Explorer
- Navigate to Settings>Internet Options>Security>Custom level...
- Scroll down to the Scripting section
- Select Enable for Active scripting
- Click OK. Then click Yes when prompted Are you sure you want to change the settings for this zone?
- Click OK to close the Internet Options window
macOS:
- Open the Safari web-browser
- Open Safari's preferences
- Navigate to the Security tab
- click to Enable JavaScript at the Web content field
Mac: Reoccurring requests to enter password
Description
When a user attempts to sign-in they are prompted for their password in a continuous loop
Resolution
Update Safari and Reboot computer:
- From the Apple menu in the corner of your screen, choose System Preferences.
- Click Software Update.
- Click Update Now or Upgrade Now:
- Update Now installs the latest updates for the currently installed version.
- Upgrade Now installs a major new version with a new name, such as macOS Big Sur.
How to Get Help with the GlobalProtect Remote Access VPN
If you have questions or experience any difficulties, use any of the following methods to contact the IT Service Desk for help:
- Visit the IT Help Portal
- Call us at 814-865-HELP (4357)
- Email us at ITservicedesk@psu.edu