08-06-2019 06:13 AM - last edited on 03-20-2020 07:22 AM by arsimon
Hi Team,
When I'm trying to connect global protect from agent it gives an error "Could not connect to gateway contact your IT administrator".
When I dig into debug logs, i found below intersting logs.
(T3120) 08/06/19 12:56:14:274 Debug(4388): SetGatewayRoute: GetBestRoute() returns Dest:0.0.0.0 Mask:0.0.0.0 if_index=12 metric1=50
(T3120) 08/06/19 12:56:14:274 Debug(4409): Created gateway route (5.x.x.x) succeeds
(T3120) 08/06/19 12:56:14:275 Error( 244): PsvStartEx() failed
(T3120) 08/06/19 12:56:14:275 Error( 259): StartDriver() failed: -1
(T3120) 08/06/19 12:56:14:275 Debug(5865): UnsetGatewayRoutes: DeleteIpForwardEntry(5.1x.x.x4)
(T3120) 08/06/19 12:56:14:275 Error(2182): EnableVIF() failed
(T3120) 08/06/19 12:56:14:275 Debug(2279): failed to create tunnel with gateway s.x.x:2500
It is said in article this can be resolved if we reinstall the global protect after deleting the palo alto network folder in program files. I tried it but response is same.
Currently firewall is running PAN 9.0.2 and GPC 5.0.2. I checked the response in version 4.1.12 but no luck.
But some of my other users running windows 10 are able to connect. I'm having this issue with only 4 users.
Appreciate your response.
Regards
Venky
08-06-2019 10:12 AM
This is usually caused by an incompatability with other software/services installed on the system. Do all laptops have the same software installed, or do they vary slightly?
If that isn't it, reach out to TAC so they can verify that you are actually removing everything that you need to. If memory recalls correctly GlobalProtect doesn't clean up all of the files/registry keys that it installs and this can cause issues with the re-install not actually fixing the issue.
08-29-2019 03:05 AM
@Venkatesan_radhakrishnan My sincere condolences for using CP EPS 😉
Might be, that the Application Firewall blade or Sandblast blocks the GP activities.
We had issues, that SSO with internal GlobalProtect didn't work, because the FDE-Blade installs a Credential Provider in front of GlobalProtect. As we talk about Check Point, they mess things up and the GP credential agent receives only empty users... - unfortunatley it was Win-7 and the order of Credential Providers cannot be defined properly. You might check out the endpoint logs
08-06-2019 10:12 AM
This is usually caused by an incompatability with other software/services installed on the system. Do all laptops have the same software installed, or do they vary slightly?
If that isn't it, reach out to TAC so they can verify that you are actually removing everything that you need to. If memory recalls correctly GlobalProtect doesn't clean up all of the files/registry keys that it installs and this can cause issues with the re-install not actually fixing the issue.
08-07-2019 01:23 AM
HI @BPry
Thanks for your reply, I will try regirty uninstaller as last option as suggested and let you know if any luck
Regards
Venky
08-28-2019 10:51 PM
Hi @BPry
Thanks for your comments, This issue got resolved after removing check point disk encryption client in window client machine.
But not sure why palo alto GP client was blocked by check point encryption client
Regards
Venky
08-29-2019 03:05 AM
@Venkatesan_radhakrishnan My sincere condolences for using CP EPS 😉
Might be, that the Application Firewall blade or Sandblast blocks the GP activities.
We had issues, that SSO with internal GlobalProtect didn't work, because the FDE-Blade installs a Credential Provider in front of GlobalProtect. As we talk about Check Point, they mess things up and the GP credential agent receives only empty users... - unfortunatley it was Win-7 and the order of Credential Providers cannot be defined properly. You might check out the endpoint logs
08-29-2019 03:12 AM
HI @Chacko42
Can you let me know which endpoint logs, above shared while starting this topic is endpoint logs from global protect client PANGps.
Regards
Venky
08-29-2019 03:41 AM
@Venkatesan_radhakrishnan: I meant the Check Point logs.
The Endpoint Security Agent got a button in the GUI "show logs" and then, you got a firewall like log and can check, if one of the blades is actively blocking the GlobalProtect activities. Otherwise you can open a case with Check Point TAC to get the thing fixed. Then there will be a new endpoint package soon (or hotfix)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
