Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-27-2018 03:44 AM - edited 05-27-2018 03:49 AM
The company I work for recently roled out paloalto vpn service for users to connect via VPN
However one frustration most if not all users have observed is the initial connection via GlobalProtect client.
Across all client versions and all OS's (Windows, MacOs) one thing which is causing frustration has been observed.
* Instigating the connection from the client, a push notification is sent to Okta Verify running on a phone
* The connection is accepted from the phone and the GlobalProtect client then begins to connect
* More often than not, the connecting window will sit there and eventually time out without a sucesfful connection
* Hitting disconnect and re-connect several times eventually allows a sucesfull connection
Again this issue is prevelent across all OS platforms. so troubleshooting on local machines is somewhat mute
Does anyone have any troubleshooting tips? From the client side, this happens across the latest and older client versions
05-27-2018 05:26 AM
Hi @carterg
Actually there are a lot of variables here that could lead to problems. From your description I assume that your company does use on-demand mode in combinarion with MFA authentication from Okta.
Anyway I also see that you use Global Protect Version 4.1.0. At first I would recommend to update to 4.1.1 before you waist time with troubleshooting something that may be already fixed (at least one bug sounds similar to your problem https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-release-notes/gp-a... ).
The update is a recommendation, what you need to check are the global protect logs on the client for errors and also lower severity entries --> PANGPS and PANGPA Logs.
You also mentionned that the problem also exists on older versions: whichbones did you test?
05-27-2018 09:25 AM - edited 05-27-2018 09:27 AM
Hi,
Thanks for the quick response, and on a Sunday! 🙂
I cant comment on the different versions tested, however will roll out 4.1.1 and do some more testing.
Thanks again for the fast reply.
edit: and yes, MFA OKTA verification is in use across the company
05-27-2018 10:26 AM
Another troubleshooting observation to add to the mix, is that a first time connection seems to be more viable when for example connected to a public wif
For example here in the uk we have public offerings such as
https://service.thecloud.net/service-platform
Again when connected to these, more often that not, a VPN connection via the GlobalProtect client is usually connected within a few seconds after OKTA mfa has taken place. Have also observed similar reliabilty when connected to a Mobile Phone tethered connection.
Discussions concerning the client version aside, this raises an interesting point, that WIFI / Network config to have some bearing on again the reliabilty of a first time connection...
05-27-2018 01:04 PM
It also depends on the communication allowed on the specific networks.
I would also recommend to not hesitate to get TAC involved. If it really is another issue in globalprotect you want them involved as soon as possible (I myself configured a globalprotect setup for a customer some months ago. I only used supported configurations - the problem was that using all these 3 features together isn't supported yet. This we found out after two months of troubleshooting with TAC - and the fix will be added (hopefully) in the next major release...)
11-06-2018 12:19 PM
Its been some time since I posted this issue, and several version of the gp client later... still the same problem
Anyone else up for a stab at troubleshooting authentication timeouts?
We have an internal yammer discussion thread on this very issue, and frequently get people complaining about this
Usual generic troubleshooting tips we offer are...
*Disconnect and re-connect several times, to try and coax this connection
* Refresh the connection (option in the settings)
* Select different gateway (Capita TCP / Capita THN)
* Try changing settings between
gp.capita.co.uk
gp-a.capita.co.uk
gp-b.capita.co.uk
* Try changing your laptops DNS settings (last resort this)
Some common ones are
GOOGLE
8.8.8.8
8.8.4.4
or a less known DNS 1.1.1.1
Try a newer version of the global protect client
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
