View All Resources

University Client VPN Troubleshooting Guide

This guide is meant to provide helpful troubleshooting steps to empower Local Support Providers to resolve issues they find with the installation and/or operation of the University Client VPN “Palo Alto – GlobalProtect”. 

Click on a plus sign [+] to view additional information and a minus sign [-] to hide it.

Can the user log in to the portal website? If not, see the list below for troubleshooting steps.

Is the user having an authentication error?

The University Client VPN is authenticated via PennKey. If the user has forgotten their PennKey username or password or are having trouble with those credentials, have them submit a ticket to the PennKey Support team.  

Is the user enrolled in Penn Two-Step?

Users must first be enrolled in Penn Two-Step to access the University Client VPN. To enroll, access the Two-Step Verification site: have them enroll, and then try again.

 

Trouble with DUO Universal Prompt with Palo Alto VPN Pre-Logon functionality?

The transition to DUO Universal Prompt can cause an issue with the Palo Alto VPN Pre-Logon functionality. A user who attempts to do this will pass primary authentication but will be unable to complete secondary authentication. There is a way to resolve this by modifying the Windows registry entry for pre-logon to include the DUO domain(s).

RESOLUTION: The following Windows registry entry should be added to fix this:

- Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL
- Type: Reg_SZ
- Value Name: TrustedIdpDomains
- (The value is comma-separated for multiple domain names) Value Data: api-ecae067e.duosecurity.com

*NOTE* This may be done via BigFix if that is how the software is pushed out and configured for end-user workstations.

Is the user in the proper PennGroups group for VPN access?

Have the user go to this URL: https://grouper.apps.upenn.edu/grouper/grouperUi/app/UiV2Main.indexCustomUi?operation=UiV2CustomUi.customUiGroup&groupId=547c947f04cf4f5ca887162999a461e1

The user should receive this message: 

If not, please submit a ticket with the ISC PennGroups team.

Can the user receive a ping response from vpn.upenn.edu?

Are there connectivity issues at the user’s home?

Are there certificate issues in the browser?

Try using a different browser, clearing browser cache, or using Incognito Mode

Can the user resolve vpn.upenn.edu to its correct IP address? (128.91.250.251)

There could be DNS issues. Ensure the user doesn’t have any local DNS setup and that they have the correct responding Penn DNS Servers: 128.91.18.2, 128.91.49.2

Is the user using more than one VPN?

Make sure the user is connecting to GlobalProtect first and that the second VPN is not a full tunnel.

Is the user connected to the VPN network once they log in?

Run ipconfig in Windows or ifconfig in MacOS and make sure they are part of one of these subnets: 10.100.128.0/19 or 10.100.160.0/19

Reboot

Rebooting can resolve many issues and is a good first step to try.

Is the VPN client installed properly?

Make sure you are obtaining the client from the portal. If not, uninstall, download, and reinstall.

Killer Network Manager

This is a program that has been found on Alienware machines as well as Dell machines ad can cause problems with GlobalProtect. You can search Systeminfo.txt as well as NicConfig.txt for this software. 

 

Here is a link for troubleshooting Killer Network Manager with VPN clients: https://support.killernetworking.com/knowledge-base/troubleshooting-vpn-clients/

 

For additional information on this software see this link: https://www.dell.com/support/kbdoc/en-us/000140850/qualcomm-atheros-killer-network-manager-alienware-systems-supported

Windows Defender Problems

in the PanGPHip.log file search for “defender” an “opswat” error shows up which doesn’t allow the client to connect or keeps dropping the connection as soon as it does.  This has been fixed in the newest version so far, so I would make sure they are running the newest version at the time.

Port 4767

There can be problems with the connection on port 4767.  This shows up in the PanGPA.log.  When reviewing this log, search for 4767. You may see an error about failure to connect on port 4767.  Verify the computer is listening for the connection: 

 

On a Mac from a terminal

Netstat -an | grep 4767 you should see this below:

tcp4       0      0  127.0.0.1.4767         *.*       LISTEN

 

On Windows from CLI

Netstat -an | find “4767”

TCP 127.0.0.1:4767   0.0.0.0/0          LISTENING

 

If it isn’t listening you might try restarting the client or rebooting the computer. You can also temporarily disable the local firewall and see if the machine is able to connect.  If you can connect after this step, you can add an exception to Windows Firewall: https://support.microsoft.com/en-us/help/4028485/windows-10-add-an-exclusion-to-windows-security

Driver Problems

Driver problems may show up in the PanGPS.log.  In this log, search for errors. If you see something like “start driver failed” or “EnableVIF failed”, try reinstalling the VPN client from scratch

To collect logs on the GlobalProtect client:

  • Click Settings in the top right corner
  • Select the Troubleshooting Tab
  • Ensure the Logging Level is set to Debug
  • Click “Collect Logs”

This will download a zipped directory of files.  If opening a ticket with ISC, please attach this zip file to the ticket.

*NOTE* - Make sure to reboot first, then attempt connection, then collect logs.
 

Useful Log Files

Systeminfo.txt

This log tells you information about the local system

PanGPS.log

This log tells you client events on the local system

PanGPHip.log

This log shows HIP events. *NOTE* There have been problems with Windows Defender that show up here

PanGPA.log

This log shows logical event problems

Debug.log

This log can also be helpful