Global protect failing to connect portal with Server certificate verification failed

• GlobalProtect client fails to connect after upgrade
• New user connections using the same client fails as well.
• Rolling back to previous version of GlobalProtect does not resolve the issue.
• Traffic captured on the portal confirms certificate validation error, showing TLS handshake issues where the client initiated an "Encrypted Alert" and Fin request without completing "Change Cipher Spec".
• Discrepancies found in ServerCert.pan file between working and non-working machines.
• Following messages are seen in the logs.
  • The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect.
  • Server certificate verification failed $ip : not signed by trusted root ca.
• PanGPA logs shown below.

(P4536-T6344)Debug( 584): 08/28/25 14:04:28:762 Network is reachable
(P4536-T6344)Debug(1474): 08/28/25 14:04:28:778 Failed to X509_LOOKUP_load_file
(P4536-T6344)Debug(13960): 08/28/25 14:04:28:778 Server certificate verification failed x.y.200.226 : not signed by trusted root ca

• GloalProtect(GP) Client/App
• Supported  versions

• Corrupted ServerCert.pan file on GP cache folder (C:/Users/<username>/appdata/local/Palo Alto Networks).
• This causes certificate validation failure.

1. Ensure root certificate is installed in  the machine and/or user certificate stores.
2. Stop PANGPS and GP client applications from the task manager (end task for both) and make sure PANGPS service stopped.
3. Delete all files under (C:/Users/<username>/appdata/local/Palo Alto Networks) folder
4. If the device is used by multiple users (Multi-user windows device) , search GP cache files (/appdata/local/Palo Alto Networks) under every user folder one by one and delete all of them.
5. If the issue not resolved Uninstall and Reinstall the GP client.