This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

GlobalProtect VPN fails to launch on Linux [Solved]

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect VPN fails to launch on Linux [Solved]

jamesps
L1 Bithead

‎06-11-2026 12:51 AM

As an Ubuntu desktop/laptop admin at my company, I've had my fair share of gripes with Globalprotect VPN for Linux. So I wanted to share my home-grown fixes for various issues I've encountered.

 

Yesterday, I encountered another such issue which the developers have kindly created for me.

 

The issue is that Linux users with a UID > 60000 cannot launch the VPN at all. Why you might ask? Well it's because the gpa.service is hardcoded to fail for UID numbers of a certain range.

 

Here is the systemd service definition:

# /etc/xdg/systemd/user/gpa.service
[Unit]
Description=GlobalProtect VPN client Agent
ConditionUser=!@system

[Service]
Type=simple
ExecStartPre=/usr/bin/bash -c 'if [ $(id -u) -lt 1000 ] || [ $(id -u) -gt 60000 ]; then exit 1; fi'
ExecStart=/opt/paloaltonetworks/globalprotect/PanGPA start
Restart=on-failure
RestartSec=1
WorkingDirectory=/opt/paloaltonetworks/globalprotect

[Install]
WantedBy=default.target

gpa.service is a systemd service run as the target user and is required for PanGPUI process to launch or to connect to the VPN at all.

 

As you can see, there is a lovely hardcoded UID range within which the service works as expected.

Unfortunately, if you're like me and use SSSD/LDAP to authenticate/authorise users on your Linux devices, you may have a UID range that's well beyond this limitation. 

 

Despite raising multiple tickets with PaloAlto in the past for similar client issues, I don't trust them to fix it any time soon.

So the solution for now is to write a systemd drop-in unit to override this limitation: https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html

 

Something like below will simply remove the broken logic altogether.

# /etc/systemd/user/gpa.service.d/override.conf
[Service]
ExecStartPre=

Or you can wipe and replace it with a fixed version

# /etc/systemd/user/gpa.service.d/override.conf
[Service]
ExecStartPre=
ExecStartPre=/usr/bin/bash -c 'if [ $(id -u) -lt 1000 ]; then exit 1; fi'

 

Anyway... I might post more solutions to other problems I've encountered if I'm bored and angry enough at GlobalProtect

0 Likes Likes
0 REPLIES 0
  • 20 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks