Some users not able to connect to GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Some users not able to connect to GlobalProtect

L1 Bithead

Some of my users get the message stating their GlobalProtect client was unable to contact the gateway immediately after authenticating on their Duo MFA app.  The interesting part is I have not been able to reduce this down to a machine problem.  I have both an iMac and a Windows 10 laptop on my desk here for testing.  I can sign into each of these devices with my user account and then successfully connect to the GlobalProtect gateway with my credentials.  I can then disconnect from GlobalProtect, and while still signed into those machines with my user account, have the problematic user try to connect to the GlobalProtect, upon which they get the same message about the gateway being unavailable.

 

The fact that the only thing which has changed in this scenario is which user account is being used in the GlobalProtect client is baffling.  I have already opened a case with Palo in the past about this, but they just kept wanting to blame missing updates on the Windows 10 clients.  This still has not addresses the above scenario I detailed.  The machine and the interactively signed in user profile has not changed.

 

Both my account and the problem account are members of the Domain Users security group and have their primary group membership set to Domain Users.  I am not filtering connections by security group as I have not been able to successfully configure that, so all Active Directory users are allowed to connect at this time.  Both my account and the problem account use Duo MFA. 

 

I am at a loss trying to figure out what could possibly cause this problem at the account level.  The firewall's GlobalProtect log only shows these 3 entries for the problem user (parsed down for brevity):

Status          Stage               Event                      Auth Method

success       login                 portal-auth              radius

success       login                 portal-gen-cookie   radius

success       configuration    portal-getconfig      radius

1 REPLY 1

L1 Bithead

For further information, I've found these entries from the GPService log on the client machine when the user with the login problem tries connecting:

(P4928-T7320)Debug(3197): 12/22/22 14:12:05:284 GetHttpsResponse error is winhttpObj, error! ipaddress gpportal.msun.edu
bRetryWithoutCert is 0, bClientCertNeeded=0
(P4928-T7320)Debug(9740): 12/22/22 14:12:05:284 Portal config is NULL.
(P4928-T7320)Debug(9742): 12/22/22 14:12:05:284 Portal login issue
(P4928-T7320)Debug(8686): 12/22/22 14:12:05:284 Failed to get portal config from portal gpportal.msun.edu.

 

Additionally, there are several entries at various times which talk about a failure to read a cached portal configuration file.  Again, none of these errors occur when I use my user credentials in the GP Client.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!