We are facing the following issue with the GlobalProtect client: (client version 5.0.5-28)
When the user downloads the client and logs in for the first time, the user is connected successfully. However, when the user disconnects and connects again, the client takes a long time and then displays this error message: "Connection Failed: Could not connect to the GlobalProtect Gateway. Please contact you IT administrator". Subsequent requests are not successful, only the first connection is successful.
We have observed that in the first attempt, there is not attribute of Framed-IP-Address in the Radius Packet. However, in subsequent attemps, this packet is present in the requests. Could this relate to some configurational issue from server side? or is it any other client related issue? Any help would be highly appreciated.
Look in Monitor-system, this may tell you why it failed.
are you using authentication overide, perhaps this is configured incorrectly.
Yes, will check when I have access to the console. Another thing to note here is that we are not facing this issue with all users. The users who are configured to authenticate from AD are not facing this issue and are able to login successfully every time. This issue is occurring only with users who are authenticated by RADIUS server.
Perhaps, could this be a problem in the response from the radius server? The RADIUS server logs show authentication successful for these users but we see multiple Access-Accept responses sent by RADIUS server. Are there any specific attributes which are required by PA from RADIUS in order to authenticate successfully to the GlobalProtect client? It is strange that only the client is behaving like this but the same RADIUS configuration is working fine for the GlobalProtect web portal.
I am not aware of any special parameters .... if this was the case then i would expect all radius auth to fail...
perhaps you could go into more detail re the setup.
on demand, always on... save user credentials... how many gateways... and can i assume you have tested from cli the test authentication authentication-profile command...
from the error it seems like gp is authing to the portal but failing on gateway, this can also be confirmed in the logs...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!