https://live.paloaltonetworks.com/t5/globalprotect-discussions/palo-alto-global-protect-clients-failing-to-connect/m-p/1250467#M7317 <P>We have Global Protect installed on all of our corporate laptops and our users fall into one of two scenarios:<BR />1. They are a remote user; cannot reach the host we have defined for Internal Host Detection and are required to authenticate to the Gateway with DUO.<BR />2. They are an "on-site" and can reach the host we set for Internal Host Detection and Internal Host Detection should disable the Global Protect services.</P> <P>The issue we are seeing is that "on-site" users are able to reach the host we have set for Internal Host Detection but are being prompted to authenticate to the Global Protect Gateway to establish the tunnel. The Internal Host detection should be preventing this as I understand it.</P> <P>&nbsp;</P> <DIV>The issue was observed only for a small subset of users, not all on‑site users.</DIV> <DIV><BR />The impact is that "on-site" users are not enrolled for our Gateway Authentication via Duo and will not be able to authenticate. In the field this shows that at times the host will successfully detect it is Internal and then intermittently fail to detect and prompt for a certificate and credentials to Authenticate to the tunnel.</DIV> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 18 Mar 2026 18:38:22 GMT R.Singh384240 2026-03-18T18:38:22Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/palo-alto-global-protect-clients-failing-to-connect/m-p/1250467#M7317 <P>We have Global Protect installed on all of our corporate laptops and our users fall into one of two scenarios:<BR />1. They are a remote user; cannot reach the host we have defined for Internal Host Detection and are required to authenticate to the Gateway with DUO.<BR />2. They are an "on-site" and can reach the host we set for Internal Host Detection and Internal Host Detection should disable the Global Protect services.</P> <P>The issue we are seeing is that "on-site" users are able to reach the host we have set for Internal Host Detection but are being prompted to authenticate to the Global Protect Gateway to establish the tunnel. The Internal Host detection should be preventing this as I understand it.</P> <P>&nbsp;</P> <DIV>The issue was observed only for a small subset of users, not all on‑site users.</DIV> <DIV><BR />The impact is that "on-site" users are not enrolled for our Gateway Authentication via Duo and will not be able to authenticate. In the field this shows that at times the host will successfully detect it is Internal and then intermittently fail to detect and prompt for a certificate and credentials to Authenticate to the tunnel.</DIV> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 18 Mar 2026 18:38:22 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/palo-alto-global-protect-clients-failing-to-connect/m-p/1250467#M7317 R.Singh384240 2026-03-18T18:38:22Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/palo-alto-global-protect-clients-failing-to-connect/m-p/1250473#M7318 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/433906391">@R.Singh384240</a>&nbsp;,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P data-end="1386" data-start="1300">Could you share the <STRONG data-end="1334" data-start="1320">PanGPS.log</STRONG> from an affected user while the issue is occurring?</P> <P data-end="1386" data-start="1300">&nbsp;</P> <P data-end="1662" data-start="1388">I’d first like to confirm whether IHD is succeeding consistently during the failure. In the logs, there may be <STRONG data-end="1541" data-start="1529">DnsQuery</STRONG> entries and return codes that can help show whether the client is intermittently failing to identify itself as internal.</P> <P data-end="1662" data-start="1388">&nbsp;</P> <P data-end="1722" data-start="1664">Also, could you confirm a couple of configuration details:</P> <P data-end="1722" data-start="1664">&nbsp;</P> <P data-end="1722" data-start="1664">Do you have any internal gateways configured?</P> <P data-end="1722" data-start="1664">Is the app set to Always-On?</P> <P data-end="1722" data-start="1664">&nbsp;</P> <P data-end="2077" data-start="1811">I ask because internal gateways are optional. If IHD succeeds, the client can either connect to an internal gateway if one is configured, or simply remain in an internal state without bringing up the external VPN tunnel.</P> <P data-end="2077" data-start="1811">&nbsp;</P> <P data-end="2555" data-start="2079">If Always-On is enabled, there is also a documented behavior where, if a user moves from an external network back to the internal network before the Automatic Restoration of VPN Connection Timeout expires, GlobalProtect may restore the last known external gateway without re-running network discovery immediately. In that case, having the user select Refresh Connection / Rediscover Network can help force a new IHD check.</P> <P data-end="2555" data-start="2079">&nbsp;</P> <P data-end="2788" data-start="2557">If the logs show that IHD itself is working normally, then it may be worth testing whether reducing or setting the Automatic Restoration of VPN Connection Timeout to 0 changes the behavior.</P> <DIV id="tinyMceEditor_12e026e7fdb516JayGolf_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> Wed, 18 Mar 2026 22:54:18 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/palo-alto-global-protect-clients-failing-to-connect/m-p/1250473#M7318 JayGolf 2026-03-18T22:54:18Z