This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

[SOLVED] - NGFW The Connection To Global Protect On The IPads Times Out!!

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[SOLVED] - NGFW The Connection To Global Protect On The IPads Times Out!!

DanielS.Romero
L2 Linker

‎12-11-2025 08:11 PM - edited ‎12-11-2025 09:19 PM

Hello team,

I created this post to share my experience resolving recent issues related to GlobalProtect on iPad devices.

We have some users with iPads who attempted to connect to GlobalProtect using SAML-based authentication; however, after the users logged in with their credentials, the GlobalProtect application displayed the following error "Connection Failed or The Connection TimeOut or Timeout Expired", and the iPad lost its internet connection:


GLOBAL PROTECT IPAD CONNECTION TIME OUT

DanielSRomero_1-1765512275788.png
We found the following cause for this behavior (we were using the user login mode):

CAUSE
- GlobalProtect iOS application only supports SAML authentication for on-demand connect method (Manual user-initiated connection) due to Apple VPN framework limitation.

- When Always-on mode is deployed to iOS devices, the Apple device blocks the internet connection and since SAML authentication requires internet, it will not work.

- When using a VPN profile in conjunction with MDM, the onDemandEnabled option behaves the same as the GP "Always-on" mode. Thus, SAML authentication is not supported on iOS devices when a VPN profile is used with onDemandEnabled = 1.
As a solution we create a agent

RESOLUTION
To allow iOS iPhone or iPad to work with Global Protect, we need to have On-demand as the connect method over the Portal, after that, the iPads can now connect without any issue, as shown below:

GLOBAL PROTECT PORTAL CONNECTION METHOD

DanielSRomero_2-1765512424721.png
GLOBAL PROTECT CONNECTED

DanielSRomero_0-1765513227125.png

 

The best way to accomplish the same is to configure a new Agent instance only for IOS devices and move it to the top of the list, 


With the above configuration, the new Agent will take care of iOS iPad and iPhone clients. All other clients will use the second Agent in the list and are not affected.


Thank you for your time, and I hope this information is helpful in your daily cybersecurity work. I would greatly appreciate your support by liking or accepting this answer as the solution; it would help me a lot in becoming a CyberElite!


Best Regards,

Daniel Romero
Senior Network/Security Engineer
PANW Partner
GlobalProtect NGFW VM-Series 

GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
NGFW
Thumbnail of NGFW
Palo Alto Networks
NGFW
Network Security
View on Product Page
VM-Series
Thumbnail of VM-Series
Palo Alto Networks
VM-Series
Cloud-Native Security
View on Product Page
0 Likes Likes
1 REPLY 1

JayGolf
Community Team Member

‎12-11-2025 08:40 PM

Thank you for sharing @DanielS.Romero ! 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 78 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks