Global protect "Could not connect to gateway contact your IT administrator"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global protect "Could not connect to gateway contact your IT administrator"

Hi Team,

 

When I'm trying to connect global protect from agent it gives an error "Could not connect to gateway contact your IT administrator".

 

When I dig into debug logs, i found below intersting logs.

 

(T3120) 08/06/19 12:56:14:274 Debug(4388): SetGatewayRoute: GetBestRoute() returns Dest:0.0.0.0 Mask:0.0.0.0 if_index=12 metric1=50
(T3120) 08/06/19 12:56:14:274 Debug(4409): Created gateway route (5.x.x.x) succeeds
(T3120) 08/06/19 12:56:14:275 Error( 244): PsvStartEx() failed
(T3120) 08/06/19 12:56:14:275 Error( 259): StartDriver() failed: -1
(T3120) 08/06/19 12:56:14:275 Debug(5865): UnsetGatewayRoutes: DeleteIpForwardEntry(5.1x.x.x4)
(T3120) 08/06/19 12:56:14:275 Error(2182): EnableVIF() failed
(T3120) 08/06/19 12:56:14:275 Debug(2279): failed to create tunnel with gateway s.x.x:2500

 

It is said in article this can be resolved if we reinstall the global protect after deleting the palo alto network folder in program files. I tried it but response is same.

 

Currently firewall is running PAN 9.0.2 and GPC 5.0.2. I checked the response in version 4.1.12 but no luck.

 

But some of my other users running windows 10 are able to connect. I'm having this issue with only 4 users.

 

Appreciate your response. 

 

Regards

Venky

 

 

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

@Venkatesan_radhakrishnan,

This is usually caused by an incompatability with other software/services installed on the system. Do all laptops have the same software installed, or do they vary slightly?

If that isn't it, reach out to TAC so they can verify that you are actually removing everything that you need to. If memory recalls correctly GlobalProtect doesn't clean up all of the files/registry keys that it installs and this can cause issues with the re-install not actually fixing the issue. 

View solution in original post

@Venkatesan_radhakrishnan My sincere condolences for using CP EPS 😉

Might be, that the Application Firewall blade or Sandblast blocks the GP activities.

We had issues, that SSO with internal GlobalProtect didn't work, because the FDE-Blade installs a Credential Provider in front of GlobalProtect. As we talk about Check Point, they mess things up and the GP credential agent receives only empty users... - unfortunatley it was Win-7 and the order of Credential Providers cannot be defined properly. You might check out the endpoint logs

Best Regards
Chacko

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@Venkatesan_radhakrishnan,

This is usually caused by an incompatability with other software/services installed on the system. Do all laptops have the same software installed, or do they vary slightly?

If that isn't it, reach out to TAC so they can verify that you are actually removing everything that you need to. If memory recalls correctly GlobalProtect doesn't clean up all of the files/registry keys that it installs and this can cause issues with the re-install not actually fixing the issue. 

HI @BPry 

 

Thanks for your reply, I will try regirty uninstaller as last option as suggested and let you know if any luck

 

Regards
Venky

Hi @BPry 

 

Thanks for your comments, This issue got resolved after removing check point disk encryption client in window client machine.

 

But not sure why palo alto GP client was blocked by check point encryption client

Regards

Venky

@Venkatesan_radhakrishnan My sincere condolences for using CP EPS 😉

Might be, that the Application Firewall blade or Sandblast blocks the GP activities.

We had issues, that SSO with internal GlobalProtect didn't work, because the FDE-Blade installs a Credential Provider in front of GlobalProtect. As we talk about Check Point, they mess things up and the GP credential agent receives only empty users... - unfortunatley it was Win-7 and the order of Credential Providers cannot be defined properly. You might check out the endpoint logs

Best Regards
Chacko

HI @Chacko42 

 

Can you let me know which endpoint logs, above shared while starting this topic is endpoint logs from global protect client PANGps.

 

Regards

Venky

@Venkatesan_radhakrishnan: I meant the Check Point logs.

The Endpoint Security Agent got a button in the GUI "show logs" and then, you got a firewall like log and can check, if one of the blades is actively blocking the GlobalProtect activities. Otherwise you can open a case with Check Point TAC to get the thing fixed. Then there will be a new endpoint package soon (or hotfix)

Best Regards
Chacko
  • 2 accepted solutions
  • 73177 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!