09-22-2025 05:30 AM - edited 09-22-2025 05:38 AM
Hello Community,
I would like to ask for your guidance on an issue i experienced.
Environment:
2x PA-820 firewalls in active/passive HA cluster
PAN-OS 10.2.13-h5 (upgrade to 11.1.10-h1 planned soon)
Internal GlobalProtect Gateway configured on loopback interface
Issue:
Yesterday, the GlobalProtect Gateway on the active firewall suddenly stopped responding.we initially suspected a certificate issue because the GlobalProtect client displayed this error:
"Could not verify the server certificate of the gateway. If the issue persists, contact your administrator."
However, further checks confirmed that the firewall had simply stopped sending any return packets on the loopback interface hosting the Gateway.
Attempting to access the portal/gateway via a browser also failed.
Failing over to the passive firewall immediately restored access.
What has been done so far:
Restarted the problematic firewall and failed back → everything returned to normal.
Generated a TSF before rebooting (available for analysis).
Has anyone seen similar behavior where the GP Gateway stops responding on the loopback?
Beyond the KB steps (process restarts), what additional troubleshooting steps would you recommend (logs to review, debug commands, checks for known bugs, etc.)?
Could this be tied to a process crash, a certificate handling bug, or something else in 10.2.13-h5?
Any input on how to dig deeper or confirm the root cause would be greatly appreciated.
Thanks in advance,
10-07-2025 09:21 AM - edited 10-07-2025 09:25 AM
I have an extremely similar environment with a similar issue. Single PA-820 on 10.2.13-h5 with GP on loopback, with GP clients on 6.2.7. Certain users will get the certificate issue and at first thinking the certificate was the problem, I dove into troubleshooting that specifically. Upon several attempts at any fix I could find, the only solution was uninstalling and reinstalling the GP client. My support partner also could not find any solution, and we both agreed that, to save the headache, reinstalls would serve as a workaround for now. I don't believe any of the logs showed the firewall at fault and only certain users were affected while others connect flawlessly, so my issue seems to differ from yours in that regard. I only started having this issue on 10.2.13-h5 with newer GP clients (6.2.4+) and seeing that you have a different, albeit similarly adjacent issue it may be a bug within this PAN-OS release. If you find a solution let us know, I would be interested in learning more!
Also, a word of caution - I tried 11.1 on my PA-820 and it ran like absolute garbage. The release I used entirely broke my logging on the firewall. All syslog, ftp, and snmp simply stopped working without even support being able to restore it and suggested it was an 11.1 issue... I downgraded to 10.2 shortly after. I'd advise anyone to run 10.2 for as long as you can! Granted, however, this was a preferred release from ~1 year ago so perhaps they've cleaned it up by now. I'm dreading the EOL for 10.2 and the inevitable switch to 11.1.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
