Unable to update GlobalProtect Client

Hello Everyone,

Need some help here!

We are trying to update GP client to 6.3.0 but unable to. When a user connects to GP, a window comes where it states that GP is downloading updates and after few seconds, it disappears. When we check the About, it is still on the old version. We have valid certificate on our firewall as well. We have downloaded and activated the GP client image on the firewall and under Agent setting also, Allow with Prompt is enabled. When we did the PanAgent Debugs whicle clicking on Update on GP client, we are seeing below outputs. How do I resolve this, please someone help!

Thank you in advance.

(P12784-T12788)Debug( 408): 07/25/24 21:10:36:498 Receive gps message with type https_request.

(P12784-T12788)Debug( 325): 07/25/24 21:10:36:498 ===> response sent to GPI = no

(P12784-T28344)Debug(4767): 07/25/24 21:10:36:498 OID is NULL

(P12784-T28344)Dump ( 80): 07/25/24 21:10:36:498 Use shared translate

(P12784-T28344)Debug(5698): 07/25/24 21:10:36:498 DecodePostData, encPostDataLen = 384, outLen=183

(P12784-T28344)Debug( 643): 07/25/24 21:10:36:498 agentName is PAN GlobalProtect/6.2.0-89 (Microsoft Windows 10 Pro , 64-bit) Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko

(P12784-T28344)Debug( 472): 07/25/24 21:10:36:498 winhttp SetSecureProtocol, hSession=2a06b7d0, bAllProtocol=0, gbFips=0

(P12784-T28344)Debug( 737): 07/25/24 21:10:36:498 REUSE, set context=000001442D704580

(P12784-T28344)Info (3496): 07/25/24 21:10:36:498 PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CREATED, this=000001442D704580)

(P12784-T28344)Debug( 804): 07/25/24 21:10:36:498 REUSE, new session 000001442D6A47E0, m_server=vpngp.xxxx.com, port=443

(P12784-T28344)Info (3496): 07/25/24 21:10:36:498 PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CREATED, this=000001442D704580)

(P12784-T28344)Debug( 979): 07/25/24 21:10:36:498 setReceiveTimeOut, set time out to 30000 ms

(P12784-T28344)Debug(1036): 07/25/24 21:10:36:498 setConnectTimeOut, set time out to 5000 ms

(P12784-T28344)Debug(1018): 07/25/24 21:10:36:498 kerberos, set HTTP_OPTION_AUTOLOGON_POLICY success

(P12784-T28344)Info (4897): 07/25/24 21:10:36:498 winhttpObj->SendRequest, first try

(P12784-T28344)Info (2198): 07/25/24 21:10:36:498 winhttpObj, SendRequest, m_clientCertName=(null), bIngoreClientCert=0

(P12784-T29592)Info (3496): 07/25/24 21:10:36:498 PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RESOLVING_NAME, this=000001442D704580)

(P12784-T29592)Info (3496): 07/25/24 21:10:36:498 PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=000001442D704580)

(P12784-T29592)Debug(3575): 07/25/24 21:10:36:498 WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=0x2ee7, result=5, dwCertificateError=0

(P12784-T28344)Debug(5521): 07/25/24 21:10:36:614 send alive message now 3

(P12784-T28344)Dump ( 102): 07/25/24 21:10:36:614 new command added to the queue at the back.

(P12784-T28344)Info (2301): 07/25/24 21:10:36:614 winhttpObj, get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR

(P12784-T28344)Info (1669): 07/25/24 21:10:36:614 Server cert query failed with error 12019

(P12784-T28344)Debug(1581): 07/25/24 21:10:36:614 DC, dump server certificate now

(P12784-T14188)Debug( 614): 07/25/24 21:10:36:614 Send command to Pan Service

(P12784-T14188)Debug( 642): 07/25/24 21:10:36:614 Command = pan_msg_ping3

(P12784-T14188)Debug( 694): 07/25/24 21:10:36:614 PanClient sent successful with 80 bytes

(P12784-T12788)Dump ( 76): 07/25/24 21:10:36:614 OnReceive error=0

(P12784-T28344)Debug(1622): 07/25/24 21:10:36:615 DC, read 2333 of 2333 bytes from file C:\Users\prana37\AppData\Local\Palo Alto Networks\GlobalProtect\ServerCert.pan.

(P12784-T28344)Debug(1487): 07/25/24 21:10:36:615 DC, exportFirstCert

(P12784-T28344)Debug(1564): 07/25/24 21:10:36:615 DC, could not find right property id, last error=80092004

(P12784-T28344)Error(2331): 07/25/24 21:10:36:615 error = ERROR_WINHTTP_NAME_NOT_RESOLVED

(P12784-T28344)Debug(2430): 07/25/24 21:10:36:615 winhttpobj, return error 12007

(P12784-T28344)Error(5105): 07/25/24 21:10:36:615 winhttpObj, error! ipaddress vpngp.xxxx.com

bRetryWithoutCert is 0, bClientCertNeeded=0

(P12784-T28344)Dump ( 80): 07/25/24 21:10:36:615 Use shared translate

(P12784-T28344)Info (3496): 07/25/24 21:10:36:615 PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING, this=000001442D704580)

(P12784-T28344)Debug(3593): 07/25/24 21:10:36:615 handle 2d61ad40 closed

(P12784-T28344)Debug(3597): 07/25/24 21:10:36:615 REUSE, request closed

(P12784-T28344)Info ( 895): 07/25/24 21:10:36:615 wait for closing callback success!

(P12784-T28344)Dump ( 102): 07/25/24 21:10:36:615 new command added to the queue at the back.

(P12784-T14188)Debug( 614): 07/25/24 21:10:36:615 Send command to Pan Service

(P12784-T14188)Debug( 694): 07/25/24 21:10:36:615 PanClient sent successful with 336 bytes

(P12784-T12788)Dump ( 76): 07/25/24 21:10:36:615 OnReceive error=0

(P12784-T12788)Dump ( 76): 07/25/24 21:10:36:631 OnReceive error=0

(P12784-T12788)Debug( 125): 07/25/24 21:10:36:631 Received data from Pan Service

if the GP adapter gets an internal DNS server, then make sure the server can resolve the domain of GlobalProtect

Internal dns server needs an A record with the vpn.x.com external ip of your firewall gp portal.
And from there, monitor traffic / logs to verify your sec pol allows it to reach it.

Thank you everyone for your valuable suggestions. I appreciate it alot. We have to add a host entry for gateway on our internal DNS server.

Are you running admin privileges requires for installing application on your endpoints? If so new GP will not install since it does not have admin permission . Old one will still uninstall itself. Only way around this is to have the enpoint/system admin push this out via SCCM or intune. Additional perk is you will not have to require PC to restart.
I would suggest to have your GP Portal App setting as not to force endpoint to match with Firewall GP version or it will force install and this will happen again.

Edit: changed question format.

u/MoonshineYeeHaw did you find a fix to this? I am experiencing the exact same problem.

Two questions:

1. Why do you want 6.3? It’s incredibly beta

2. Are these logs from PanGPS.log? That’s where you will find logs around the update process. Search for “AutoUpdater” in PanGPS.log.

Make sure you are able to resolve your gateway if you’re using FQDN. That was the issue in my case. We were not able to resolve the gateway to IP, so made a request to DNS team to add an entry.

webkit2 is a pretty big deal.

These logs are debug collected from PanGPAgent.

Thank you! That fixed it…

You can get that in every code train of global protect now. 6.0.10, 6.2.3 (or newer), 6.3

Edit: 6.1 doesnt have the upgraded browser framework, but its end of engineering 9/1 anyways so kinda irrelevant.

Yes… After you collect the logs, unzip the file. You’ll find PanGPS.log in the uncompressed folder. Look for what I mentioned.

I’m glad to be of help!

6.2.3 does not have it, but 6.2.4 does and it came out after 6.3. The OP may have gone to 6.3 to get it. I tested it and it works, and when 6.2.4 came out I tested it also am still having auth issues, even though there is a specific bug fix for it.

I actually have active issues and PAN TAC cases due to it with Azure SAML support…