🔧 GlobalProtect Client Troubleshooting Guide
1. Common Issues
-
GlobalProtect unable to connect to portal or gateway.
-
Authentication succeeds at the portal but fails at the gateway.
-
GlobalProtect agent connected but unable to access resources.
-
Client receives 'Valid client certificate is required' error.
-
Client stuck at 'Discovering Network' status.
2. Client-Side Troubleshooting
-
Check DNS Resolution:
Use
nslookup
to ensure the portal and gateway FQDNs resolve correctly.
-
Verify Connectivity:
Use
ping
and
traceroute
to test reachability to the portal and gateway.
-
Inspect Certificates:
Open a web browser and navigate to
https://portal-fqdn/global-protect/prelogin.esp
and
https://gateway-fqdn/ssl-vpn/prelogin.esp
to verify SSL certificate validity.
-
Review Client Logs:
Collect logs from the GlobalProtect client and examine the
PanGPS.log
file for errors.
-
Check Virtual Adapter:
Use
ipconfig /all
(Windows) or
ifconfig
(macOS/Linux) to verify the virtual adapter has an IP address and correct routes.
3. Firewall-Side Troubleshooting
-
Monitor Logs:
Use the following CLI commands to view relevant logs:
-
less mp-log authd.log
– Authentication logs.
-
less mp-log sslvpn.log
– SSL VPN logs.
-
less mp-log rasmgr.log
– Tunnel and client configuration logs.
-
Check User Sessions:
show global-protect-gateway current-user
to view current connected users.
-
Verify Security Policies:
Ensure policies allow traffic from the GlobalProtect zone to internal resources.
-
Inspect Certificates:
Confirm that the portal and gateway certificates are valid and trusted by clients.
-
Review Routing:
Ensure that routes for the GlobalProtect IP pool are correctly configured and advertised if using dynamic routing.