Connection Failed GlobalProtect on a Mac

cancel
Showing results for 
Search instead for 
Did you mean: 

Connection Failed GlobalProtect on a Mac

L1 Bithead

I am having an issue logging into the VPN on my Apple devices. I can connect to the VPN via the windows laptop, but I cannot on my Apple laptop. I keep receiving this error message on the Macbook Pro "[Error]: Gateway VPN External Gateway: The network connection is unreachable, or the gateway is unresponsive. Check the network connection and reconnect.". I can successfully access the VPN on windows without any issues, and I am using the same credentials to log in. Has anyone encountered this issue before?

8 REPLIES 8

L7 Applicator

not had this error myself but i assume the login to the portal is OK, or is that failing too and using cached app config for gateway.  what happens when you browse to the portal.??

Login to the portal is fine. I can type in the portal address in a web browser and it comes up and I can login on the browser without any issues. I can also access the vpn on the windows without any issues either. The error message populates when I sign onto any Apple products via the vpn software. 

does the pangps log file show any useful info...  it would be worth checking if GP to portal is ok then fails on gateway only, any certs involved here?  also... i assume you have no gateway restrictions for windows only on firewall gateway settings.

This is in the logs:

470-T12807 06/16/2021 15:49:57:142 Debug( 458): error detail is Server cert verification failed
P 470-T12807 06/16/2021 15:49:57:142 Info ( 281): Session <__NSURLSessionLocal: 0x7f9591320780> set to (null)
P 470-T12807 06/16/2021 15:49:57:142 Debug( 653): GetHttpResponse: m_errorDetails is Server cert verification failed.
P 470-T12807 06/16/2021 15:49:57:142 Debug(3633): Login to gateway **.**.**.** without ipv6
P 470-T12807 06/16/2021 15:49:57:142 Debug(5564): Show Gateway VPN External Gateway: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
P 470-T12807 06/16/2021 15:49:57:142 Debug(3890): Failed to pre-login to the gateway **.**.**.**
P 470-T12807 06/16/2021 15:49:57:142 Info (2678): Failed to retrieve info for gateway **.**.**.**
P 470-T12807 06/16/2021 15:49:57:142 Debug(2689): tunnel to **.**.**.** is not created.
P 470-T12807 06/16/2021 15:49:57:142 Debug(4095): Create tunnel failed for manual gateway **.**.**.** using IPv4.
P 470-T12807 06/16/2021 15:49:57:142 Debug(6849): --Set state to Disconnected
P 470-T12807 06/16/2021 15:49:57:144 Debug(4111): On demand mode. Skip setting network discover event.
P 470-T12807 06/16/2021 15:49:57:144 Debug(11159): SetVpnStatus called with new status=0, Previous Status=0

do you see a portal login earlier in the logs, are the portal and gateway on same box and using same tls profile.

 

is it possible to wireshark to see if gateway is responding at all???

 

not much help.... sorry.

L0 Member

I believed this is related to certificate for the Global protect. Are you using Macbook OS 15.x big sur? If yes probably the GP did not support for this one.

 

L0 Member

I had this issue as well and fixed it by adding a Host Name = "DNS" from Subject Alternative Name (SAN) field in the certificate attributes.

Cyber Elite
Cyber Elite

@MickBall could be having the idea that you have pushed the CA cert for the globalprotect on the windows devices using GPIO AD directory but maybe you have not done this for MAC using Jamf Pro or other mac managment tool and the MAC does not trust the Globalprotect gateway?

 

 

There was also an option for Globalprotect to ignore the portal invalid cert (there is no such option for the gateway) and if enabled even if you have the portal and gateway on the same place using the same cert this could explain the issue.

 

 

 

Also just in case push the system extensions for MAC:

 

https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-new-features/new-features-rele...

 

 

Also if the gateway port is blocked I used this workaround before:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKPCA0

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!