Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Connection Failed GlobalProtect on a Mac

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Connection Failed GlobalProtect on a Mac

L1 Bithead

I am having an issue logging into the VPN on my Apple devices. I can connect to the VPN via the windows laptop, but I cannot on my Apple laptop. I keep receiving this error message on the Macbook Pro "[Error]: Gateway VPN External Gateway: The network connection is unreachable, or the gateway is unresponsive. Check the network connection and reconnect.". I can successfully access the VPN on windows without any issues, and I am using the same credentials to log in. Has anyone encountered this issue before?

15 REPLIES 15

L7 Applicator

not had this error myself but i assume the login to the portal is OK, or is that failing too and using cached app config for gateway.  what happens when you browse to the portal.??

Login to the portal is fine. I can type in the portal address in a web browser and it comes up and I can login on the browser without any issues. I can also access the vpn on the windows without any issues either. The error message populates when I sign onto any Apple products via the vpn software. 

does the pangps log file show any useful info...  it would be worth checking if GP to portal is ok then fails on gateway only, any certs involved here?  also... i assume you have no gateway restrictions for windows only on firewall gateway settings.

This is in the logs:

470-T12807 06/16/2021 15:49:57:142 Debug( 458): error detail is Server cert verification failed
P 470-T12807 06/16/2021 15:49:57:142 Info ( 281): Session <__NSURLSessionLocal: 0x7f9591320780> set to (null)
P 470-T12807 06/16/2021 15:49:57:142 Debug( 653): GetHttpResponse: m_errorDetails is Server cert verification failed.
P 470-T12807 06/16/2021 15:49:57:142 Debug(3633): Login to gateway **.**.**.** without ipv6
P 470-T12807 06/16/2021 15:49:57:142 Debug(5564): Show Gateway VPN External Gateway: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
P 470-T12807 06/16/2021 15:49:57:142 Debug(3890): Failed to pre-login to the gateway **.**.**.**
P 470-T12807 06/16/2021 15:49:57:142 Info (2678): Failed to retrieve info for gateway **.**.**.**
P 470-T12807 06/16/2021 15:49:57:142 Debug(2689): tunnel to **.**.**.** is not created.
P 470-T12807 06/16/2021 15:49:57:142 Debug(4095): Create tunnel failed for manual gateway **.**.**.** using IPv4.
P 470-T12807 06/16/2021 15:49:57:142 Debug(6849): --Set state to Disconnected
P 470-T12807 06/16/2021 15:49:57:144 Debug(4111): On demand mode. Skip setting network discover event.
P 470-T12807 06/16/2021 15:49:57:144 Debug(11159): SetVpnStatus called with new status=0, Previous Status=0

do you see a portal login earlier in the logs, are the portal and gateway on same box and using same tls profile.

 

is it possible to wireshark to see if gateway is responding at all???

 

not much help.... sorry.

L1 Bithead

I believed this is related to certificate for the Global protect. Are you using Macbook OS 15.x big sur? If yes probably the GP did not support for this one.

 

L0 Member

I had this issue as well and fixed it by adding a Host Name = "DNS" from Subject Alternative Name (SAN) field in the certificate attributes.

PCNSC
PCNSE

L6 Presenter

@Mick_Ball could be having the idea that you have pushed the CA cert for the globalprotect on the windows devices using GPIO AD directory but maybe you have not done this for MAC using Jamf Pro or other mac managment tool and the MAC does not trust the Globalprotect gateway?

 

 

There was also an option for Globalprotect to ignore the portal invalid cert (there is no such option for the gateway) and if enabled even if you have the portal and gateway on the same place using the same cert this could explain the issue.

 

 

 

Also just in case push the system extensions for MAC:

 

https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-new-features/new-features-rele...

 

 

Also if the gateway port is blocked I used this workaround before:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKPCA0

L0 Member

Hello,I encountered the same problem,did you solve this problem?

hello,can you tell me how to add Host Name in GlobalProtect certificate attributes,and where is GlobalProtect certificate.please~

Hi,

Did someone solved this issue? Any specific instructions will be appreciated.

 

Thanks

I ran into the same problem ,I tested by config certificate Host Name = "DNS" and manually install certificate on iphone and Mac os.
After install certificate found to be able to use Globalprotech as usual.

hello, excuse-me can you tell us how you did that please ? i don't get the method

hello, excuse-me how did you config certificate Host Name = "DNS" and manually install certificate ?

  • 24864 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!