Error message: Connection Failed. Could not connect to the GlobalProtect gateway. Please contact your IT administrator

Error message: Connection Failed. Could not connect to the GlobalProtect gateway. Please contact your IT administrator

37710
Created On 12/10/20 05:51 AM - Last Modified 08/12/21 02:03 AM


Symptom


Symptom/Scenario:
  • Global Protect Portal/Gateway Authentication Profile is using RADIUS.
  • RADIUS Server is using MFA Duo push.
  • RADIUS Server timeout is set to 60 seconds with 1 retry count.
  • GP users tried to connect to GP (on-demand), they received Duo Push immediately, but they won’t approve the Duo push quickly to complete the authentication process.
  • Authentication timeout occurs at 25 seconds and GP disconnected due to the error message" Connection Failed. Could not connect to the GlobalProtect gateway. Please contact your IT administrator".
  • The issue is the GP client is not hanging on waiting for that Radius timeout.
  • In the GP authentication scenario where the user won’t approve the Duo push on time (within 25 seconds), how to make GP timing out occurs after the configured Radius server timeout.

Environment


  • Global Protect
  • RADIUS Servers
  • Multi-Factor Authentication using DUO

Cause


  • The default GloablProtect timeout is 30 seconds, which in turn makes the default authentication timeout at 25 seconds.
  • The Authentication timeout is calculated as (GloablProtect timeout - 5).
  • If the global-protect timeout is lower than RADIUS server profile timeout/retries, the lower value will be used for authentication timeout.
  • The global-protect timeout value is the timeout between the Global Protect Client and the firewall's Global Protect Portal/Gateway.

    NOTE:  The GlobalProtect timeout should be greater than the total time that any server profile allows for connection attempts. The total time in a server profile is the timeout value multiplied by the number of retries and the number of servers.
     

Resolution


  1. Increase the global-protect-timeout value to be greater than the desired RADIUS authentication timeout. Note: This can be done from the FW CLI only, no WebUI:
>configure
# set deviceconfig setting global-protect timeout 90
#commit

# show deviceconfig setting global-protect
global-protect {
  timeout 90;
}
# exit

 
       2. Increase the “TCP received timeout”  to 90 seconds to match the GP timeout value (GUI: Network > GlobalProtect > Portals > (name) > Agent > (agent name) > App )
Portal App TCP setting

       3. Now the GlobalProtect authentication timeout can reach 55-60 seconds (as configured Radius server timeout) before users approve the Duo push.

NOTE: If  GlobalProtect timeout is changed without changing “TCP received timeout” the GP App gets disconnected after about 30 seconds due to the “TCP received timeout” value which defaults to 30 seconds.

 

Additional Information


The default GlobalProtect timeout cannot be seen using the below command unless it is modified or reset to the default value again: 
> configure
# show deviceconfig setting global-protect
# exit

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBufCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language