Global protect "Could not connect to gateway contact your IT administrator"

Reply
Highlighted

Global protect "Could not connect to gateway contact your IT administrator"

Hi Team,

 

When I'm trying to connect global protect from agent it gives an error "Could not connect to gateway contact your IT administrator".

 

When I dig into debug logs, i found below intersting logs.

 

(T3120) 08/06/19 12:56:14:274 Debug(4388): SetGatewayRoute: GetBestRoute() returns Dest:0.0.0.0 Mask:0.0.0.0 if_index=12 metric1=50
(T3120) 08/06/19 12:56:14:274 Debug(4409): Created gateway route (5.x.x.x) succeeds
(T3120) 08/06/19 12:56:14:275 Error( 244): PsvStartEx() failed
(T3120) 08/06/19 12:56:14:275 Error( 259): StartDriver() failed: -1
(T3120) 08/06/19 12:56:14:275 Debug(5865): UnsetGatewayRoutes: DeleteIpForwardEntry(5.1x.x.x4)
(T3120) 08/06/19 12:56:14:275 Error(2182): EnableVIF() failed
(T3120) 08/06/19 12:56:14:275 Debug(2279): failed to create tunnel with gateway s.x.x:2500

 

It is said in article this can be resolved if we reinstall the global protect after deleting the palo alto network folder in program files. I tried it but response is same.

 

Currently firewall is running PAN 9.0.2 and GPC 5.0.2. I checked the response in version 4.1.12 but no luck.

 

But some of my other users running windows 10 are able to connect. I'm having this issue with only 4 users.

 

Appreciate your response. 

 

Regards

Venky

 

 


Accepted Solutions
Highlighted
Cyber Elite

@Venkatesan_radhakrishnan,

This is usually caused by an incompatability with other software/services installed on the system. Do all laptops have the same software installed, or do they vary slightly?

If that isn't it, reach out to TAC so they can verify that you are actually removing everything that you need to. If memory recalls correctly GlobalProtect doesn't clean up all of the files/registry keys that it installs and this can cause issues with the re-install not actually fixing the issue. 

View solution in original post

Highlighted
L4 Transporter

@Venkatesan_radhakrishnan My sincere condolences for using CP EPS ;)

Might be, that the Application Firewall blade or Sandblast blocks the GP activities.

We had issues, that SSO with internal GlobalProtect didn't work, because the FDE-Blade installs a Credential Provider in front of GlobalProtect. As we talk about Check Point, they mess things up and the GP credential agent receives only empty users... - unfortunatley it was Win-7 and the order of Credential Providers cannot be defined properly. You might check out the endpoint logs

Best Regards
Chacko

View solution in original post


All Replies
Highlighted
Cyber Elite

@Venkatesan_radhakrishnan,

This is usually caused by an incompatability with other software/services installed on the system. Do all laptops have the same software installed, or do they vary slightly?

If that isn't it, reach out to TAC so they can verify that you are actually removing everything that you need to. If memory recalls correctly GlobalProtect doesn't clean up all of the files/registry keys that it installs and this can cause issues with the re-install not actually fixing the issue. 

View solution in original post

Highlighted

HI @BPry 

 

Thanks for your reply, I will try regirty uninstaller as last option as suggested and let you know if any luck

 

Regards
Venky

Highlighted

Hi @BPry 

 

Thanks for your comments, This issue got resolved after removing check point disk encryption client in window client machine.

 

But not sure why palo alto GP client was blocked by check point encryption client

Regards

Venky

Highlighted
L4 Transporter

@Venkatesan_radhakrishnan My sincere condolences for using CP EPS ;)

Might be, that the Application Firewall blade or Sandblast blocks the GP activities.

We had issues, that SSO with internal GlobalProtect didn't work, because the FDE-Blade installs a Credential Provider in front of GlobalProtect. As we talk about Check Point, they mess things up and the GP credential agent receives only empty users... - unfortunatley it was Win-7 and the order of Credential Providers cannot be defined properly. You might check out the endpoint logs

Best Regards
Chacko

View solution in original post

Highlighted

HI @Chacko42 

 

Can you let me know which endpoint logs, above shared while starting this topic is endpoint logs from global protect client PANGps.

 

Regards

Venky

Highlighted
L4 Transporter

@Venkatesan_radhakrishnan: I meant the Check Point logs.

The Endpoint Security Agent got a button in the GUI "show logs" and then, you got a firewall like log and can check, if one of the blades is actively blocking the GlobalProtect activities. Otherwise you can open a case with Check Point TAC to get the thing fixed. Then there will be a new endpoint package soon (or hotfix)

Best Regards
Chacko
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!