GlobalProtect client fails to connect with error "Failed to create gateway route" when using IPv6 only address on client side.

GlobalProtect client fails to connect with error "Failed to create gateway route" when using IPv6 only address on client side.

3292
Created On 11/16/23 02:16 AM - Last Modified 01/28/25 22:39 PM


Symptom


  • GlobalProtect Client is unable to connect to the Prisma Access gateway or a Strata Firewall configured as gateway.
  • When trying to connect error message "Failed to create gateway route" is displayed.
Failed to create gateway route
 

Environment


  • Prisma Access for Mobile Users- Any version.
  • Strata Next Generation Firewalls- Any version
  • GlobalProtect Gateway- Any version
  • GlobalProtect (GP) App

Cause


  • The client is receiving IPv6 address from ISP.
  • The GP client now resolves FQDN for gateway to an IPV6 address but the gateway does NOT have an IPv6 address assigned. 
PanGPS.log
Gateway australia-east-customer.gp5osny5c.gw.gpcloudservice.com ipv6 address is 2001:xxxx:xxxx:xxxx::a555:b15<<< IPv6
  • When the GP client tries to connect to the gateway using the resolved IPv6 address, the gateway returns the response with an IPv4 address. 
    PanGPS.log
Pre-login response is <?xml version="1.0" encoding="UTF-8" ?> <saml-default-browser>yes</saml-default-browser> <connected-ip>165.x.x.x</connected-ip>. <<< IPv4
  • This will cause a failure in the GP client to install the routes. 
    PanGPS.log
Connected-gw-ip is 165.x.x.x<<< 
165.x.x.x is not ipv6<<< 
Set registry LastErrorString as Failed to create gateway route 
Failed to create gateway route (0.0.0.0): (The system cannot find the file specified.) 
host is FQDN: 
is resolved to an ipv6 
IPSec tunnel receive failed with error 10054(An existing connection was forcibly closed by the remote host


Resolution


  1. The GP client expects that the IP resolution for the FQDN of gateway to be same stack as the one it is establishing the tunnel with.
  2. If the gateway supports IPv6, Assign an IPv6 address on the gateway interface. The FQDN must resolve to this assigned ipv6 address on all clients
  3. If the gateway does not support IPv6 or does not have an IPv6 address assigned, Work with the local network or ISP provider to make sure the FDQN does not resolve IPv6 address and instead resolves to IPv4 address.

Additional Information


Note: The GP client can connect without any issues when the internet connection is dual stack (IPv6 & IPv4) or just IPv4.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008VuACAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail