GlobalProtect stops to connect

L4 Transporter

Also when I have doen pcaps the client closes the connectect...

L1 Bithead

@ansharma wrote:
Open the certificate presented by the portal. Go to the details tab and then check the Signature Algorithm. This is where RSA SSA-PSA would be, if the certificate is using it. I doubt it though, in your case, as 2 machines are able to connect. We'd need to check the GP agent logs to figure out what's going on.

Could you please explain how to check certificates. What do you mean certificate presented by the portal?
I can't find in logs what certificate GlobalProtect try to use. 
In mmc/certificates I can see many root certificates etc, ... not expired with different algorithms.

It works even from my hosted virtual machine under win8, but it does not work on my root machine Win10 ... and I can't find any difference. 


Please your help could safe me from reinstalling my OS... ( my admin proposed it)


Cyber Elite


Are you sure your self signed root cert is installed on this client?

(T17360) 08/02/17 10:44:28:403 Error(1128): Failed to X509_LOOKUP_load_file
(T17360) 08/02/17 10:44:28:403 Debug( 296): Open_SSL_connection: subject '/C=AU/O=somecompany Pty Limited/OU=PA/'
(T17360) 08/02/17 10:44:28:403 Debug( 300): Open_SSL_connection: issuer '/C=AU/O=somecompany Pty Limited/OU=PA/CN=vdcPAGlobalProtectCA'
(T17360) 08/02/17 10:44:28:403 Info (5144): Root ca does not exist.
(T17360) 08/02/17 10:44:28:403 Debug( 731): StandardizeIpv6Format
(T17360) 08/02/17 10:44:28:403 Debug( 793): standardized name is
(T17360) 08/02/17 10:44:28:403 Debug( 731): StandardizeIpv6Format
(T17360) 08/02/17 10:44:28:403 Debug( 821): standardized common name is
(T17360) 08/02/17 10:44:28:403 Debug( 942): Check domain name versus CN anme
(T17360) 08/02/17 10:44:28:403 Debug( 905): Cert name check succeeded
(T17360) 08/02/17 10:44:28:403 Debug(5157): Failed to verify gateway's server certificate using trusted root CA of portal configuration.
(T17360) 08/02/17 10:44:28:403 Debug(5162): disconnect ssl.

Did you add this root cert also to the trusted root certs in the portal configuration?

Cyber Elite


The same for you: the root cert of your portal/gateway cert is in the local trust store of your computer?

L4 Transporter

 @vsys_remo  definitely its installed via a GPO.


Something interesting I have found during my testing.


if I clean / uninstall the GP client. and then download and re install, it does log into the gp portal and grab the config once, which is how it finds the int gateway.  but once that is done then I have all the problems.


I have pointed my browser at portal and the gateways to check the certs and it all looks good.



Cyber Elite

Hi @Alex_Samad


Is your pa3-vpn-gateway somehow private/hidden so that only you (maybe with a local host entry) can connect?

The reason I am asking is because from my point of view, with the knowledge I have from your posts so far, there is a problem on pa3-vpn-gateway. I am able to resolve your gateway 1, 2 and the portal by DNS but not gateway 3. In addition, a TLS check shows the correct information for gateway 1, 2 and the portal and all 3 certs show the earlier mentionned self signes root cert. But on gateway 3 or better on the IP where I assume gateway 3 should be, the TLS check fails completely.


In an earlier post you wrote that other clients are working: what rules do you have in plave to decide which gateway will be chosen by the clients? All with the same priority or based on usergroups ... So rhe working clients, do they also try to connect to gateway 3?

L4 Transporter

pa3 is a internal gateway, dns and connectivity is only accessible whilst your on the internal network

same rules.... thats the annoying thing

Cyber Elite

Of course ... would have been too easy, if that was the solution :P


At the times of these failing connections: is there something useful or at least regarding that client in the system log of your portal and/or gateway (s)?

Cyber Elite

So a short recap: @Alex_Samad

  • Global protect infrastructure with one portal, 2 external gateways and one internal --> is this a fully distributed setup? Do you use authentication cookies?
  • You have 6 absolutely identical clients but only 4 of them are able to connect --> do all of them connect to the same external gateway?
  • It was all working until day x where 2 clients started having problems with the connection


In addition to this discussion you probably also want to open a TAC case...

L4 Transporter



I have, buts its been nearly 4 weeks not getting much progress, there seemed to be some life to it here so ..



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!