GlobalProtect App does not re-submit HIP report causing the gateway to loose the IP to user mapping for a connected user.

GlobalProtect App does not re-submit HIP report causing the gateway to loose the IP to user mapping for a connected user.

252
Created On 10/05/25 22:56 PM - Last Modified 01/05/26 20:30 PM


Symptom


  • GlobalProtect (GP) app unable to reach internet and other internal resources access when the GP app connection is stable and has not disconnected.
  • The logs on the gateway side shows that the gateway no longer shows the username associated with the GP IP address. 
  • The security rules on the gateway now fails to match the user or user group based rules for this GP app.
  • A manual refresh of the GP app or manually resubmitting the HIP (Host information profile) fixes the issue.
  • The GP app logs (PanGPS.log) shows this message when the connectivity is lost.
  • The problem is observed in single gateway location more frequently then others. 
  • (P4400-T12345)Debug(1111): 10/08/25 08:10:39:396 has not logged into gateway new-zealand-xy-gxxxxxxx.gw.gpcloudservice.com. Skip sending hip report to this gateway.

 

Environment


  • GlobalProtect App version 6.2 or 6.3
  • Prisma Access
  • Strata firewall used as GlobalProtect gateway

Cause


  • The issue can be caused due to GPC-22544. Check if the GlobalProtect version is lower than 6.3.3, 6.2.8, 6.3.2-h6 or  6.4.0.
  • If yes, then an app upgrade is needed to fix a known issue tracked by GPC-22544.
  • The second reason is due to the configuration using the duplicate gateway value with same Name and same FQDN.
  • To identify check the Portal configuration to identify if there is any manual gateway entry with the same.
  • As an example, the New-zealand location in prisma Access is by default available to users from New-zealand. But the administrator can still manually add the same FQDN gateway entry in the portal external gateway location. 
  • This configuration causes a problem.

Resolution


 

  1. Correct the configuration. One can have two 2 gateway entries with same FQDN but they should not be with the same name.
  2. In the above example, the resolution is the change one of the manual entry to a different name. For the 2 entries with the name "New Zealand", the manual entry can be changed to "New Zealand1"

Additional Information


  • Check the GP app logs and PanGPA.log for the duplicate gateway entry.
  • Search for the string "gateway-list name" in the PanGPA.log.
  • Look for the gateway FQDN and name and focus on the location where the users are reporting these disconnections.
  • The output has been truncated for brevity.   
    <gateway-list name="gateway-list" type="external" user="customerportal.company.co.nz">
		<entry>
			<gateway>australia-southeast-customerportal.company.gpcloudservice.com</gateway>
<tunnel>yes</tunnel>
			<login-time>1759173197</login-time>
			<lifetime>82800</lifetime>
			<manual>yes</manual>
			<description>Australia</description>
			<allow-tunnel>yes</allow-tunnel>
<entry>
			<gateway>new-zealand-customerportal.company.gpcloudservice.com</gateway>
			<tunnel>no</tunnel>
			<manual>yes</manual>
			<description>New Zealand</description>
			<priority>1</priority>
			<internal>no</internal>
			<authenticated>no</authenticated>
		</entry>
		<entry>
			<gateway>pakistan-south-customerportal.company.gpcloudservice.com</gateway>
			<tunnel>no</tunnel>
			<manual>yes</manual>
			<description>Pakistan South</description>
			<priority>0</priority>
			<internal>no</internal>
			<authenticated>no</authenticated>
		</entry>
	<entry>
			<gateway>new-zealand-customerportal.company.gpcloudservice.com</gateway>
			<tunnel>no</tunnel>
			<manual>yes</manual>
			<description>New Zealand</description>
			<priority>1</priority>
			<internal>no</internal>
			<authenticated>no</authenticated>
		</entry>
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000kAKXKA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail