GlobalProtect Connection Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect Connection Issue

L2 Linker

The company I work for recently roled out paloalto vpn service for users to connect via VPN

However one frustration most if not all users have observed is the initial connection via GlobalProtect client.

 

Across all client versions and all OS's (Windows, MacOs) one thing which is causing frustration has been observed.

 

* Instigating the connection from the client, a push notification is sent to Okta Verify running on a phone

* The connection is accepted from the phone and the GlobalProtect client then begins to connect

* More often than not, the connecting window will sit there and eventually time out without a sucesfful connection

 

* Hitting disconnect and re-connect several times eventually allows a sucesfull connection

 

Again this issue is prevelent across all OS platforms. so troubleshooting on local machines is somewhat mute

Does anyone have any troubleshooting tips?  From the client side, this happens across the latest and older client versions

version.png

1.png2.png

5 REPLIES 5

L7 Applicator

Hi @carterg

 

Actually there are a lot of variables here that could lead to problems. From your description I assume that your company does use on-demand mode in combinarion with MFA authentication from Okta.

Anyway I also see that you use Global Protect Version 4.1.0. At first I would recommend to update to 4.1.1 before you waist time with troubleshooting something that may be already fixed (at least one bug sounds similar to your problem https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-release-notes/gp-a... ).

The update is a recommendation, what you need to check are the global protect logs on the client for errors and also lower severity entries --> PANGPS and PANGPA Logs.

You also mentionned that the problem also exists on older versions: whichbones did you test?

Hi,

 

Thanks for the quick response, and on a Sunday! 🙂

I cant comment on the different versions tested, however will roll out 4.1.1 and do some more testing.

 

Thanks again for the fast reply.

edit: and yes, MFA OKTA verification is in use across the company

Another troubleshooting observation to add to the mix, is that a first time connection seems to be more viable when for example connected to a public wif 

 

For example here in the uk we have public offerings such as

https://service.thecloud.net/service-platform

 

Again when connected to these, more often that not, a VPN connection via the GlobalProtect client is usually connected within a few seconds after OKTA mfa has taken place.  Have also observed similar reliabilty when connected to a Mobile Phone tethered connection.

 

Discussions concerning the client version aside, this raises an interesting point, that WIFI / Network config to have some bearing on again the reliabilty of a first time connection...

It also depends on the communication allowed on the specific networks. 

  • Is there a captive portal on the network where the users have to login first?
  • Is ipsec allowed or only 443 so GlobalProtect needs some seconds to know that it has to fall back to a TLS tunnel?
  • MTU size on the wifi compared to the mobile network?

I would also recommend to not hesitate to get TAC involved. If it really is another issue in globalprotect you want them involved as soon as possible (I myself configured a globalprotect setup for a customer some months ago. I only used supported configurations - the problem was that using all these 3 features together isn't supported yet. This we found out after two months of troubleshooting with TAC - and the fix will be added (hopefully) in the next major release...)

Its been some time since I posted this issue, and several version of the gp client later... still the same problem

Anyone else up for a stab at troubleshooting authentication timeouts?

 

We have an internal yammer discussion thread on this very issue, and frequently get people complaining about this

Usual generic troubleshooting tips we offer are...

 

*Disconnect and re-connect several times, to try and coax this connection
* Refresh the connection (option in the settings)
* Select different gateway (Capita TCP / Capita THN)
* Try changing settings between

gp.capita.co.uk
gp-a.capita.co.uk
gp-b.capita.co.uk

* Try changing your laptops DNS settings (last resort this)
Some common ones are 

GOOGLE 
8.8.8.8
8.8.4.4
or a less known DNS 1.1.1.1

Try a newer version of the global protect client

  • 7532 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!