2factor VPN - Frequently Asked Questions & Troubleshooting

Frequently asked questions and troubleshooting steps for the Palo Alto GlobalProtect 2factor VPN.

Frequently Asked Questions

  1. What scenarios require use of the 2factor VPN?

  2. What Operating Systems and VPN clients are compatible with the 2factor VPN?

  3. What are the inactivity/timeout limits for the 2factor VPN?

Troubleshooting

  1. General Connection Troubleshooting (Start Here)

  2. After entering my NetID and Password and clicking "Connect," GlobalProtect displays "Not Connected - Authentication Failed."

  3. After entering my NetID and Password and clicking "Connect," GlobalProtect displays "Connecting" but the OTP entry window doesn't appear.

  4. After being prompted for and entering my OTP code, GlobalProtect displays "Re-enter your password."



Frequently Asked Questions

  1. What scenarios require use of the 2factor VPN?

    The 2factor VPN is used to protect systems that contain sensitive data. You may need to connect to the VPN in order to access these resources when working remotely, or while in the office on wireless networks. While connected to the VPN, all traffic is routed through UW Madison servers. As such, you are subject to UW Madison's Responsible Use of Information Technology Policy. Connecting to the campus network, including the 2factor VPN, constitutes consent to have network traffic monitored. If malware or copyright material is detected on a university or personal owned computer that is connected to the VPN, you will be subject to remediation steps with the Office of Cybersecurity. Failure to comply will result in loss of access to the 2factor VPN. Minimizing connections via personally-owned computers and disconnecting when access to protected systems is no longer required are recommended 2factor VPN practices.

  2. What Operating Systems and VPN clients are compatible with the 2factor VPN?

    Currently, Microsoft Windows and Apple OS X are the only operating systems compatible with the 2factor VPN. It is not possible to connect via Linux, Unix, Android, or iOS.

    For Windows and OS X, GlobalProtect is the only client that can be used to connect at this time. See 2factor VPN - Download and Install the Palo Alto GlobalProtect Client. Cisco AnyConnect and other VPN clients are not compatible. There is a GlobalProtect application for Android and iOS devices, but this application is not compatible with the 2factor VPN service.

  3. What are the inactivity/timeout limits for the 2factor VPN?

    Although uncommon, reaching the following limits will result in being disconnected from the VPN:

    • Login Lifetime:
    • 48 Hours. This is the maximum duration of a single 2factor VPN session.
    • Inactive Session Logout:
    • 24 Hours. This is the maximum duration of network inactivity before the VPN session disconnects.


Troubleshooting

  1. General Connection Troubleshooting (Start Here)

    No matter what connection symptoms or error messages you are encountering, you should start by verifying the following:

    • Prior to consulting this troubleshooting guide, please verify that you are following these steps to connect to the VPN: 2factor VPN - Connect to VPN with the Palo Alto GlobalProtect Client

    • Verify that you are not connected to another VPN, such as WiscVPN via Cisco AnyConnect. Connecting to multiple VPNs on one computer (whether in the same Operating System or in a virtual environment) is not a supported configuration and can cause a variety of connection issues. Thus, this configuration should be avoided.
    • Verify that you do not have both Ethernet and wireless network connections enabled at the same time:

      • If you are using an Ethernet connection, you should disable your wireless adapter.
      • If you are using a wireless connection, you should unplug or disable your Ethernet.
      • If you are using a docking station, make sure that you either disable your wireless or disable/unplug your Ethernet.

      Operating Systems can switch between Ethernet and wireless without user intervention which has been known to cause VPN connectivity issues.

    • If on wireless, verify that you are connected to your preferred wireless network and that you have a strong signal. If you are moving a laptop between rooms, switching wireless networks may interrupt VPN connections. If you are on campus, consider switching from the UWNet to eduroam wireless network, or vice versa, if one has a less reliable connection at your location.

    • Verify that you have consistent network connectivity. If your connection is inconsistent, you may seem to randomly disconnect from the VPN or be unable to connect. If you are concerned about your network consistency, you should consider doing a ping test to check for dropped packets.

    • Attempt to reboot your computer if you have not done so already.

  2. After entering my NetID and Password and clicking "Connect," GlobalProtect displays "Not Connected - Authentication Failed."

    1. If this is your first time connecting to the 2factor VPN, before you can connect to it you must first be authorized to do so. If you have not been told that you are authorized to connect but you need to connect to the VPN, see 2factor VPN - Request Access to Palo Alto GlobalProtect VPN.

    2. There are multiple 2factor VPN services, such as the HRS and Cybersecurity VPNs. The VPN you are attempting to connect to is determined by the string you enter in the "Portal" field in GlobalProtect. Make sure you are properly entering the string for the VPN that you are authorized to connect to. See 2factor VPN - Connect to VPN with the Palo Alto GlobalProtect Client.

    3. GlobalProtect uses your NetID and NetID password for authentication. To verify that you are using the correct credentials, click on https://my.wisc.edu and attempt to login. If you are able to login, you are using the correct credentials and you can close out of MyUW. If you see the message "error: login failed," you are not using the correct credentials. See NetID - Recovering a Forgotten NetID to determine your NetID, and/or NetID - Recovering a Forgotten NetID Password to reset your password.

    4. If you have tried the above troubleshooting steps and you still get the Authentication Failed error when connecting, contact uwdigitalid@doit.wisc.edu for assistance.

  3. After entering my NetID and Password and clicking "Connect," GlobalProtect displays "Connecting" but the OTP entry window doesn't appear.

    1. The OTP input window may pop up on another monitor if you use multiple monitors. On rare occasions, it has been reported to appear behind other windows. To be certain the OTP input box isn't being covered, try minimizing all windows other than GlobalProtect, and check all monitors for the input box.

    2. Verify that you are not connected to another VPN, such as WiscVPN via Cisco AnyConnect. Connecting to multiple VPNs one one computer (whether in the same Operating System or in a virtual environment) is not a supported configuration and should be avoided.

    3. On rare occasions, your GlobalProtect configuration may become corrupt. This can be resolved by uninstalling and reinstalling GlobalProtect. See 2factor VPN - Download and Install the Palo Alto GlobalProtect Client.

    4. If you have tried the above troubleshooting steps and you still do not get prompted for your OTP code when connecting, contact uwdigitalid@doit.wisc.edu for assistance.

  4. After being prompted for and entering my OTP code, GlobalProtect displays "Re-enter your password."

    1. You may have waited to long before entering your OTP code, or simply mistyped it. Re-enter your password and click Connect. When prompted for your security code, attempt to enter the 6-digit OTP code from your OTP device.

    2. If you use the Symantec VIP Access smartphone application, your OTP code will not work after you re-install the application. This scenario applies when you:

      • Uninstall the VIP Access application from your smartphone and re-install it.
      • Obtain a new Smartphone and install VIP Access on it.
      • Reset your Smartphone to factory defaults and re-install VIP access.
      • Restore your smartphone from a backed-up version/image of Android or iOS.

      If you believe this applies to you, you can determine whether this is the issue by verifying your OTP Serial Number:

      1. Login to https://uwdigitalid.wisconsin.edu/
      2. Click View My Digital IDs
      3. Next to OTP Token - Phone, you will see your OTP Serial Number.

      If the Serial Number found above doesn't match the Serial Number displayed at the top of the screen in your VIP Access Smartphone application, you will need to be credentialed by an LRA in order for your OTP device to work again. Detailed instructions are available here.

    3. If you have tried the above troubleshooting steps and your OTP code still isn't working, it is possible that you have been locked out of your OTP device due to too many failed authentication attempts. Please contact uwdigitalid@doit.wisc.edu for assistance.

See Also:




Keywords:mfa palo alto global protect globalprotect faq   Doc ID:69135
Owner:Charles C.Group:UW Digital ID
Created:2016-11-30 18:23 CDTUpdated:2017-08-10 09:20 CDT
Sites:Access Management Services, DoIT Help Desk, DoIT Tech Store, Human Resource System (HRS), UW Digital ID
Feedback:  0   0