VPN client not connecting on macOS

Problem

On a macOS computer the GlobalProtect VPN client is not able to connect.

Solution

In macOS 10.13, Apple introduced a new feature that requires users to approve any third‐party extensions (KEXTS). Although the GlobalProtect app is compliant with the KEXT change, the pop‐up prompts can cause confusion. The pop-up alert will indicate that a System Extension has been blocked and to enable the extension go to the Security & Privacy System Preferences pane. You only have 30 minutes to approve the KEXT 

There are two possibilities for what the problem might be and the relevant solution.

https://developer.apple.com/library/archive/technotes/tn2459


 VPN client upgrade

If the macOS system had an older VPN client installed and the connection problem started after the client was upgraded then the GlobalProtect enforcer kernel extension may not have updated correctly. Follow these steps to fix this problem.

  1. Uninstall the GlobalProtect client for macOS.
  2. Determine if the GlobalProtect enforcer kernel extension exists on the macOS system.
    Open the Terminal application under the Applications > Utilities folder, then enter the following command:
    kextstat | grep gplock
  3. If the extension exists, unload the enforcer.
    Enter the following command on the Terminal application to unload the enforcer:
    sudo kextunload -b com.paloaltonetworks.GlobalProtect.gplock
  4. Prevent the enforcer from reloading after a reboot.
    Enter the following command on the Terminal application to remove the enforcer from the macOS hard
    disk:
    sudo rm -r "/System/Library/Extensions/gplock.kext"*
  5. Download and Install the GlobalProtect App for Mac.


 New VPN client install

If the GlobalProtect client has never been installed on the macOS system before, then follow these steps to fix this problem.

Initially you can just try removing and re-installing the GlobalProtect client. At some point during the installation you might be prompted to approve a third‐party extension (KEXT), PXPZ95SK77.

If that does not work you can manually approve the Palo Alto Networks third-party extension, PXPZ95SK77.

  1. Boot the Apple system into macOS Recovery, https://support.apple.com/en-us/HT201314
  2. Click the Utilities menu in the menu bar and select the Terminal application.
  3. In the Terminal command prompt use the spctl kext-consent command below to add the Team ID PXPZ95SK77 to allow Palo Alto Networks as a third-party extension that macOS can load without user approval.
    spctl kext-consent add PXPZ95SK77
  4. Restart the system
  5. remove/uninstall the GlobalProtect client
  6. re-install the GlobalProtect client