Global Protect Client fails to connect intermittently
Created On 03/22/19 03:38 AM - Last Modified 02/22/22 03:25 AM
Globalprotect client attempts to connect for a long time and then connection timeout happens with the below error.
Could not connect to gateway. Please contact your IT administrator.The client may get connected after multiple tries.
- All PANOS
- All Globalprotect Client versions.
One of the possible reasons for this issue is the absence of the PAN-DB on the firewall and the Security Policy being configured with URL filtering Profile.
To find out if the issue is caused by the absence of PAN-DB the below steps can be used.
Configure "Manage Filter" with the Source IP of the PC and Destination IP as the IP address of the Interface that terminates the Globalprotect Portal and Gateway.
If the client is in Internet then use the NATted Public IP of the Client PC.
Then enable the filter and run the below command once. The first output can be ignored.
> show counter global filter packet-filter yes delta yes
Attempt to connect to the Portal and Gateway from the User PC that has the issue.
Wait for some time and run the below command again.
> show counter global filter packet-filter yes delta yesIn the output of the above command, check if "url_db_request" and "url_request_pkt_drops" are seen. Example output below.
url_db_request 18 0 info url pktproc Number of URL database request url_request_pkt_drop 31 0 drop url pktproc The number of packets get dropped because of waiting for url category requestIf yes, then the delay in the connection is most likely being caused because PAN-DB is not installed on the firewall.
- Navigate to Device > License > PAN-DB URL Filtering
- Check if the PAN-DB has been downloaded and installed.
- If not, then download the PAN-DB by choosing the appropriate region and activate it if needed.
- Once the PAN-DB is installed, attempt the Globalprotect VPN client connection and check if the issue is now fixed.
Use the link to Install and Activate PAN-DB.