Troubleshooting Global Protect

Introduction

This article is going to help you troubleshoot a few common issues we see with Global Protect. This will cover some common issues like certificate errors, login errors, and more cumbersome issues pertaining to the installation or removal of the application. Find the section below that pertains to your issue to learn more.  

Cannot Install or Remove Global Protect

 This is one of the more complicated issues to fix. There may be times where an old version of Global Protect may be installed and you are required to update it and may run into issues. Here are a couple of scenarios.

Scenario 1 - Automatic Update Fails or Corrupted Installation

 When a client with an older version of Global Protect connects to our firewall, the firewall automatically updates the client to the compliant version. Sometimes, if this update is canceled or does not finish properly, the installation can become corrupt. When you attempt to reinstall it, the installation fill fail because the cached network location points to MDT. You will have to find the Global Protect registry key and remove the network location and re-run the installation. Here is how you can do that:

  1. Run regedit.msc.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products and find "GlobalProtect" in the list.
  3. Take a backup and delete the entry.
  4. Reboot and re-install Global Protect.


Here are some online resources:


https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNGHCA2

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmgACAS


Scenario 2 - Automatic Update Fails  

Certificate Error

Global Protect clients establish trust to the VPN via an SSL certificate. If the connecting user is getting a certificate error, ensure that the portal address on Global Protect is set to gp.royalelect.com and not the IP address. 

Global Protect Just Loads

Global Protect is tied to Duo for MFA and there are a couple of moving parts. Here are a couple of scenarios.


Scenario 1  - Global Protect is Stuck at "Connecting"

Global Protect is protected by Duo for MFA. When the user connects to the VPN, ensure the user is completing the MFA challenge. When users authenticate, they should be getting a Duo Push to their devices. Make sure they are approving the request. 


Scenario 2 - User Is Not Getting The Duo Push

If after connecting to the VPN, the user is not getting the Duo Push, double check the authentication logs in the Duo Admin Portal to verify that the request are not being left without a response. If you do not see the request in the authentication logs, it could indicate that the Duo Authentication Proxy is not running on the AD-Connect server. You can start the service following these steps:


  1. RDP into SAC-IT-01 with your admin account.
  2. In SAC-IT-01, RDP into AD-CONNECT with your admin account.
  3. Run services.msc and start the Duo Authentication Proxy service. 
  4. Have the user authenticate again and check the Duo Admin Portal for the request.


Additionally, check the Duo Admin Portal to ensure that the devices are in the correct order. If the intended device is not listed first, the request will time out.


Scenario 3 - Quick Authentication Failure

If you are getting quick authentication failures, the reason could be because the phone that is set up in Duo is a "generic" phone. Global Protect requires a device that received Duo Pushes, not text message verifications. To fix this, remove the device from the person's Duo account and set it up again. Make sure that they can receive Duo Push verifications.


Scenario 4- The Duo Authentication Proxy is Running and Duo Requests Are Not Going Through

If the Duo Authentication Proxy service is running on the AD-CONNECT server and the Duo Push are still not going through, please escalate this to another senior member. This is how Global Protect and Duo are connected and it's possible that any part of the integration is not working. This can include config issues on the protected application, API issues, firewall configuration issues, or Azure issues. 





  1. User connects to Global Protect with their credentials
  2. The request reaches the firewall and sees there is Radius configuration and sends the request to AD-CONNECT.
  3. The AD-CONNECT server receives the request and looks at its Duo Authentication Proxy configuration. It knows about the Duo cloud for API calls. The credentials that the user entered in Step 1 are forwarded to Active Directory.
  4. Active Directory receives the user's authentication request and verifies that the username and password that was entered are correct. The result of the request will be sent back to AD-CONNECT.
  5. If the authentication request was successful, AD-CONNECT looks at it's Duo Authentication Proxy configuration and sends an API call to Duo. 
  6. Duo receives the request and looks at the authenticating account and send's a push to the phone registered to the user. 
  7. The user get's the Duo Push.
  8. Duo receives the result of the MFA Challenge and forwards it to Global Protect. 
  9. Global Protects is informed about the user's MFA challenge and approves to denied access to the application.
  10. The user experiences access or denial of the application.