User on the native iOS VPN client is unable to connect to GlobalProtect Gateway after upgrade to 11.2.7 version.

User on the native iOS VPN client is unable to connect to GlobalProtect Gateway after upgrade to 11.2.7 version.

197
Created On 12/19/25 12:23 PM - Last Modified 02/06/26 21:41 PM


Symptom


  • Upgrade of PAN-OS from 11.1.4 to 11.2.7 on Gateway Firewall.
  • After upgrade, User on the native iOS VPN client is unable to connect to GlobalProtect Gateway.
  • The username is entered in the format "domain\username"
  • Although the authentication is successful but the gateway configuration push fails.
  • On the native iOS VPN client, error message "communication with VPN-server failed" is displayed.
  • On the Firewall, the "ikemgr.log" shows successful authentication
2025-09-26 11:21:03.069 +0200 debug: pan_auth_handle_response(pan_auth_msg.c:403): Authentication user domain\username succeeded.
  • rasmgr.log shows the error "failed to get config"
2025-09-26 11:21:03.169 +0200 debug: rasmgr_sslvpn_client_config(src/rasmgr_sslvpn.c:3445): begin... client_type=4
2025-09-26 11:21:03.169 +0200 debug: rasmgr_sslvpn_client_config(src/rasmgr_sslvpn.c:4170): cleanup...
2025-09-26 11:21:03.169 +0200 debug: rasmgr_sslvpn_client_config(src/rasmgr_sslvpn.c:4276): Error! 
2025-09-26 11:21:03.169 +0200 debug: rasmgr_increase_counter(src/rasmgr_cfg.c:1399): increase by 1: gpportal-gw error-invalid-username->116
2025-09-26 11:21:03.169 +0200 debug: rasmgr_sslvpn_client_config(src/rasmgr_sslvpn.c:4345): res=5
2025-09-26 11:21:03.169 +0200 debug: globalprotect_query_n_update_quarantine(sslvpn_misc.c:175): send req(2) to iotd for quarantine: vsys id (1); hostid (); serial ()
2025-09-26 11:21:03.170 +0200 rasmgr_sslvpn_client_terminate space gpportal-gw-N domain  user domain\username computer A.B.C.D reason fail to get config

Environment


  • Next-Gen Firewalls
  • PAN-OS 11.2.7
  • GlobalProtect Gateway
  • iOS native VPN client
  • username format domain\username

Cause


Software Issue.

Resolution


Workaround

  1. Use username only (without the domain) in the login box when connecting using 3rd party VPN client. OR
  2. Add the username in the Allow list in Device>Authentication Profile without the domain.

Resolution:

  1. The issue will be addressed in the upcoming releases 11.2.11, 12.1.5, 11.1.14 and higher versions.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000kAhqKAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail