GlobalProtect VPN Troubleshooting Guide

Quick Links: | Common GlobalProtect Errors and What They Mean | Step-by-Step Troubleshooting | Tools You May Need |

Having ongoing VPN problems? If GlobalProtect continues to fail after trying the steps in this article, please submit a GlobalProtect VPN support request.

Common GlobalProtect Errors and What They Mean

GlobalProtect is unable to connect to portal or gateway

Error: “Could not connect to portal (or Did not find portal address) could be caused by:

  • The portal address is typed incorrectly.
  • Your device cannot resolve the portal name (DNS issue).
  • The portal site is not reachable from your network.
  • A firewall or network is blocking the connection.

Error: “Required client certificate is not found could be caused by:

  • The required VPN certificate is not installed on your device.
  • The certificate is installed, but not in the correct certificate store.

Error: “Server certificate verification failed” or Protocol error. Check server certificate could be caused by:

  • The portal/gateway certificate has expired.
  • The certificate name does not match the portal/gateway address.
  • Your device does not trust the certificate authority.
  • The certificate chain is incomplete.

Stuck message: “Discovering Network” could be caused by:

  • A driver or virtual adapter issue on your computer.

GlobalProtect connected but unable to access resources

Symptom: “Connected, but I can’t access campus resources”:

  1. Confirm the GlobalProtect virtual adapter has an IP addressDNS suffix, and Access Routes. Check the GlobalProtect Details tab or use tools like ipconfig /all, ifconfig, route print, or netstat -nr.
  2. Confirm port 4501 is not blocked (this is used for IPsec data communication).
  3. Confirm firewall security policies allow traffic from the VPN IP pool to protected resources (tunnel interface zone to resource zone).
  4. Confirm there is a return route for VPN client IP pools so reply traffic can reach VPN users.
  5. Confirm the firewall is receiving IP-User Mapping from GlobalProtect (if User-ID is used).
  6. Confirm the firewall is receiving HIP data and that HIP policies/rules are configured correctly (if HIP is used).

Step-by-Step Troubleshooting

  1. Confirm you are connected to the internet.
  2. Confirm your GlobalProtect portal address is correct.
  3. Open a web browser and test:
    • https://<Portal-IP/FQDN>
    • https://<Gateway-IP/FQDN>

    If you see certificate warnings, this often points to a certificate issue.

  4. Disconnect and reconnect GlobalProtect.
  5. If you receive a certificate-related error, confirm the correct certificate is installed.
  6. If the issue continues, collect GlobalProtect logs (for example, PanGPS.log).

Tools You May Need

Tool What It Helps You Check
Ping/Traceroute Whether the portal/gateway is reachable from your network.
Nslookup Whether the portal/gateway FQDN resolves to an IP address.
Ipconfig / Ifconfig / Route print / Netstat -nr Whether the VPN adapter has correct settings and routes.
MMC (Windows) / Keychain Access (macOS) Whether required certificates are installed and trusted.
Web browser Whether the portal/gateway loads and the SSL certificate looks valid.
GlobalProtect Status / Details tab Whether you are connected and what IP/DNS/routes you were assigned.
GlobalProtect logs Detailed troubleshooting information (for example, PanGPS.log).

Still need help? Contact IT Support Services for further assistance.

Help us improve our Knowledge Base! Click Yes or No below, then let us know what worked — or what didn’t. Your feedback helps us improve our content and provide the best possible support.

Print Article