topic Unable to connect to a single Prisma Access gateway location with MacOS in Prisma Access Discussions

Unable to connect to a single Prisma Access gateway location with MacOS

AaronRedd — Fri, 11 Mar 2022 17:55:27 GMT

Hey everyone,

We are experiencing an interesting issue and was curious if anyone else has come across something similar. We have a mix of Windows and Mac endpoints, with multiple mobile user regional gateway locations. When connecting to one location (specifically UK location), our Mac systems simply will not connect. GP client continually 'loops' (connected/not connected/connecting). Mac systems connecting to any other regional gateway location work as expected. The issue does not appear for Windows systems -- those users can connect just fine to any gateway including UK.

I've had a TAC case open since September with limited success -- we are able to connect to a TAC UK gateway with our Mac's. This leads me to think it's "something" in the policy (Wildfire Inline ML perhaps??). This constant cycling between connected/reconnecting preventing us from fully deploying

Any thoughts/suggestions?

Re: Unable to connect to a single Prisma Access gateway location with MacOS

nikoolayy1 — Wed, 27 Apr 2022 22:47:57 GMT

As with prisma access only Palo Alto can do packet capture, check counters or flow logs the only thing you can check is the globalprotect agent PanGPS/PanGPA logs and on Panorma the Globalprotect logs. Also you can check the Portal config there is anything special for MAC devices as they can have a seperate policy even without HIP being enabled.

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-the-globalprotect-app-software/view-and-collect-globalprotect-logs

Also I don't renember if you could do a policy trace for Prisma Access on the Panorama as yoiu may have some security policy blocking the vpn for UK for MAC devices for example

Also it is interesting where your cortex data lake is located if this could be related but maybe not as palo alto would have seen this.

Re: Unable to connect to a single Prisma Access gateway location with MacOS

AaronRedd — Fri, 29 Apr 2022 15:35:54 GMT

Thanks for the info!

It turns out the UK gateway received a #.#.#.0 address, which is a valid IP based on the subnet mask, but something in the way that Mac's handle this is as if it's a broadcast address. Palo Alto ended up changing the backend IP to an IP that did not end in zero.

Re: Unable to connect to a single Prisma Access gateway location with MacOS

andrewwww — Mon, 02 May 2022 04:57:22 GMT

@nikoolayy1 wrote:
As with prisma access only Palo Alto can do packet capture, check counters or flow logs the only thing you can check is the globalprotect agent PanGPS/PanGPA logs and on Panorma the Globalprotect logs. Also you can check the Portal config there is anything special for MAC devices as they can have a seperate policy even without HIP being enabled.

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-the-globalprotect-app-software/view-and-collect-globalprotect-logs

Also I don't renember if you could do a policy trace for Prisma Access on the Panorama as yoiu may have some security policy blocking the vpn for UK for MAC devices for example

Also it is interesting where your cortex data lake is located if this could be related but maybe not as palo alto would have seen this.

Ohh thanks for the information sir,

@AaronRedd wrote:
It turns out the UK gateway received a #.#.#.0 address, which is a valid IP based on the subnet mask, but something in the way that Mac's handle this is as if it's a broadcast address. Palo Alto ended up changing the backend IP to an IP that did not end in zero.

what, That i really don't known