X-Auth IPSEC tunnel for Mobile doesn't work

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

X-Auth IPSEC tunnel for Mobile doesn't work

L0 Member

Hello there:

Recently I enabled IPSEC and X-Auth for the GlobalProtect Gateway, hoping to let my mobile users could use remote IPSEC access VPN. But it didn't work as my iPhone kept showing "user authentication failed'. I am pretty sure the configs on both PAN and Mobile are correct. How I should troubleshoot this?

I use Radius and 2FA for GlobalProtect client's authentication. I suspect if 2FA was the one causing the authentication failed?



Cyber Elite
Cyber Elite

Agreed that it would be the external authentication that is your issue.


ssh into your FW and run


tail follow -yes mp.log authd.log and attempt your log in.

You should be able to see where your auth failed.

Recall that the FW is not the one authenticating you.. the Radius server is.

So if your Radius server IP and the preshared key is correct (and ensure you are doing PAP exclusively) then it would be the Radius that would your failing point.



Help the community: Like helpful comments and mark solutions

Hi Steve:

Thanks for the reply.

I did tail the log, it showed as belowlog1.jpg

it turned out that iPhone was unable to prompt for the 2FA authentication. I was prompted for user account authentication. No mater what I input: OTP or my credential. It always shows 

VPN Connection

Negotiation with the VPN server failed.
 Any idea?


Hello again.  As you pointed out.  there still appears to be a configuration for requiring OTP.   If it was sent for LDAP authentication, then it should not be be asking for OTP.   Why does the screen still show this?

If you disabled this requirement, then I believe the FW would work.  If you need OTP, then when you pass whatever OTP or creds, you are sending them TO the the Radius server. 


You can try to config local authentication (Device ==> Local Users) and create an Auth Profile that points to the Local Users. Do this as  test.  If you can authenticate locally, but cannot when you implement Radius, then you would come to the conclusion that it is the external authentication profile that is preventing access.


The best and recommended course, is to purchase a Global Protect gateway subscription license, ideally, this is the proper way to implement Global Protect for mobile devices.  The XAuth was really for Linux machines.

Help the community: Like helpful comments and mark solutions
  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!