GlobablProtect Client Remains in Connecting State
62125
Created On 09/25/18 19:25 PM - Last Modified 02/01/20 02:13 AM
Symptom
The Global Protect client icon just spins in the taskbar after a reboot and remains in a "connecting" state. Why doesn't the GP client ever leave the connecting state and load the locally cached portal configuration residing on the client machine?
Environment
- Palo Alto Firewall.
- Any PAN-OS.
- Global Protect (GP) Agent 4 or lower.
Cause
The GP client icon stays in the "connecting" state after a reboot because, by design, it will always try to connect to the portal for the latest configuration after a reboot or restart of the GP client software. This is not an attempt to connect to the Gateway/VPN, only to the portal. The GP client will remain in this state if credentials aren't entered or saved on the client machine because it's unable to attempt a connection to the portal without those credentials. If "on-demand mode" is selected in the portal configuration and the GP client connects to the portal, it will recognize that on-demand mode is enabled, stop spinning (leave the "connecting" state) and wait for the user to hit the connect button to connect to the Gateway / VPN.
The GP client doesn't leave the connecting state and load the locally cached portal configuration because the locally stored portal cache is not utilized until credentials are entered into the GP client and a connection to the portal is attempted. If no credentials are entered or the "Remember Me" box is not checked, a connection to the portal is not initiated, and the local cache of the portal configuration is never utilized. This means the client will stay in the "connecting" phase (spinning icon in taskbar) until a connection attempt to the portal is made. If credentials are entered or saved and the GP client attempts a connection to the portal but is unable to reach it, it will then load the locally stored portal configuration it received from the last time it connected to the portal successfully.
Resolution
- Ensure connectivity to Portal from Client machine.
- Ensure the credentials are correctly entered or saved on the client machine.
- If the issue continues, contact Palo Alto Support to troubleshoot further.
Additional Information
Note: The issue is not applicable in the newer release of GP Clients (tested 4.1.12 and 5.0.x). When the Portal information is not cached and it is not reachable, "Connection Failed Invalid Portal" is seen on the client machine.