A solution for Global Protect Connection Issues on MacOS Clients

A solution for Global Protect Connection Issues on MacOS Clients

28657
Created On 01/29/20 04:33 AM - Last Modified 04/29/20 00:41 AM


Symptom
Global Protect Agents installed on a MacOS is having repeated issues with connecting to the Global Protect Gateway. It shows as constantly in the 'Connecting' state with no changes in status. Retrying the connection does not help. After looking into the PanGPA.log and finding the following:
 
P1316-T36895 Nov 30 15:02:57:67700 Error( 119): Error sending 64 bytes to server (-1 bytes sent): Broken pipe
P1316-T36895 Nov 30 15:02:57:67702 Error( 838): Send failed with error: 32
P1316-T36895 Nov 30 15:02:57:567743 Info ( 211): InitConnection ...
P1316-T36895 Nov 30 15:02:57:567759 Debug( 55): fd still open before connect
P1316-T36895 Nov 30 15:02:57:567855 Error( 76): Failed to connect to server at port:4767
P1316-T36895 Nov 30 15:02:57:567862 Error( 215): Cannot connect to service, error: 61

This indicates that the Global Protect Agent cannot reach the Global Protect Service running on the client. 


Environment
  • Mac OS High Sierra 10.13.
  • Global Protect  Agent 5.0 and above.
  • Any PAN-OS.


Cause

MacOS High Sierra 10.13 introduced a new feature that requires user approval before loading newly-installed third-party kernel extensions or KEXTs, for short. When a request is made to load a KEXT that has not been approved, the load request is denied.

NOTE: Approval is automatically granted to third-party KEXTs that were already installed before transitioning to macOS High Sierra.

The KEXT associated with Global Protect has not been approved and so cannot be run. This in turn prevents the Agent from connecting to the service. 



Resolution

To resolve this, the KEXT needs to be approved. 

When a request is made to load a KEXT that has not been approved, the load request is denied and macOS presents the alert below:

This directs the user to approve the KEXT in System Preferences > Security & Privacy:

This approval will only be present for 30 minutes after the alert. Until approval, future load attempts will cause the approval UI to reappear but will not trigger another alert.

The approval request should show 'Palo Alto Networks' as the developer. Click "Allow" and that should give the necessary permissions for Global Protect. 



Additional Information
This is only a potential solution for GP connection issues on MacOS. Other OS will operate differently. 

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000POS7&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments