https://live.paloaltonetworks.com/t5/general-topics/vpn-client-with-panos8/m-p/469653#M102951 <P>Hi!</P><P>I've recently had someone complain that the native macOS/OSX VPN<BR />client wouldn't connect to the VPN (PANOS 8.0.6). Turns out that they<BR />were using an unsupported macOS version, and weren't using the<BR />globalprotect client 'because it didn't work'. The official response<BR />to them is a) get a supported version of macOS b) use the<BR />GlobalProtect client.</P><P>But it got me curious.</P><P>Way back when we replaced a very crufty VPN box with the Palo Altos, I<BR />spent some time testing various VPN clients and the macOS native VPN<BR />client worked fine. Does anyone know if Apple have 'done something' to<BR />break it? Know of a fix?</P><P>I'm suspecting it's Apple to blame here - 3rd party VPN clients such<BR />as Linux (Fedora Core 26) vnpc, Android (vpnzilla), and iOS<BR />(reportedly) all work fine.</P><P>The experience on a macOS device is that the VPN client successfully<BR />connects, but no packets appear to flow either way.</P><P>&nbsp;</P><LI-CODE lang="markup">✓ msm@TrwynMochyn» ifconfig utun1 utun1: flags=8051&lt;UP,POINTOPOINT,RUNNING,MULTICAST&gt; mtu 1280 options=6403&lt;RXCSUM,TXCSUM,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM&gt; inet 148.197.84.55 --&gt; 148.197.84.55 netmask 0xffffffff ✓ msm@TrwynMochyn» netstat -in | grep utun1 utun1 1280 &lt;Link#15&gt; 0 0 0 0 0 utun1 1280 148.197.84.55 148.197.84.55 0 - 0 - - ✓ msm@TrwynMochyn» ping 148.197.84.55 PING 148.197.84.55 (148.197.84.55): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 Request timeout for icmp_seq 3 Request timeout for icmp_seq 4 Request timeout for icmp_seq 5 Request timeout for icmp_seq 6 ^C --- 148.197.84.55 ping statistics --- 8 packets transmitted, 0 packets received, 100.0% packet loss</LI-CODE><P>&nbsp;</P><DIV><DIV><DIV class="">&nbsp;</DIV><DIV class=""><DIV class=""><P class="">&nbsp;</P><P class="">&nbsp;</P></DIV></DIV></DIV></DIV> Wed, 02 Mar 2022 03:53:34 GMT dolonipo 2022-03-02T03:53:34Z https://live.paloaltonetworks.com/t5/general-topics/vpn-client-with-panos8/m-p/469653#M102951 <P>Hi!</P><P>I've recently had someone complain that the native macOS/OSX VPN<BR />client wouldn't connect to the VPN (PANOS 8.0.6). Turns out that they<BR />were using an unsupported macOS version, and weren't using the<BR />globalprotect client 'because it didn't work'. The official response<BR />to them is a) get a supported version of macOS b) use the<BR />GlobalProtect client.</P><P>But it got me curious.</P><P>Way back when we replaced a very crufty VPN box with the Palo Altos, I<BR />spent some time testing various VPN clients and the macOS native VPN<BR />client worked fine. Does anyone know if Apple have 'done something' to<BR />break it? Know of a fix?</P><P>I'm suspecting it's Apple to blame here - 3rd party VPN clients such<BR />as Linux (Fedora Core 26) vnpc, Android (vpnzilla), and iOS<BR />(reportedly) all work fine.</P><P>The experience on a macOS device is that the VPN client successfully<BR />connects, but no packets appear to flow either way.</P><P>&nbsp;</P><LI-CODE lang="markup">✓ msm@TrwynMochyn» ifconfig utun1 utun1: flags=8051&lt;UP,POINTOPOINT,RUNNING,MULTICAST&gt; mtu 1280 options=6403&lt;RXCSUM,TXCSUM,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM&gt; inet 148.197.84.55 --&gt; 148.197.84.55 netmask 0xffffffff ✓ msm@TrwynMochyn» netstat -in | grep utun1 utun1 1280 &lt;Link#15&gt; 0 0 0 0 0 utun1 1280 148.197.84.55 148.197.84.55 0 - 0 - - ✓ msm@TrwynMochyn» ping 148.197.84.55 PING 148.197.84.55 (148.197.84.55): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 Request timeout for icmp_seq 3 Request timeout for icmp_seq 4 Request timeout for icmp_seq 5 Request timeout for icmp_seq 6 ^C --- 148.197.84.55 ping statistics --- 8 packets transmitted, 0 packets received, 100.0% packet loss</LI-CODE><P>&nbsp;</P><DIV><DIV><DIV class="">&nbsp;</DIV><DIV class=""><DIV class=""><P class="">&nbsp;</P><P class="">&nbsp;</P></DIV></DIV></DIV></DIV> Wed, 02 Mar 2022 03:53:34 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-client-with-panos8/m-p/469653#M102951 dolonipo 2022-03-02T03:53:34Z https://live.paloaltonetworks.com/t5/general-topics/vpn-client-with-panos8/m-p/469921#M102972 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/211253">@dolonipo</a>,</P> <P>Just FYI, you really need to update that firewall. PAN-OS 8.0 was EoL way back on October 31st of 2019.</P> <P>&nbsp;</P> <P>As to your question, macOS recently had a number of certificate modifications that changed the default validity to 398 days.&nbsp;<A href="https://support.apple.com/en-us/HT211025" target="_blank">https://support.apple.com/en-us/HT211025</A></P> Wed, 02 Mar 2022 21:47:26 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-client-with-panos8/m-p/469921#M102972 BPry 2022-03-02T21:47:26Z https://live.paloaltonetworks.com/t5/general-topics/vpn-client-with-panos8/m-p/470070#M102987 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;wrote:<BR /><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/211253">@dolonipo</a>,</P><P>Just FYI, you really need to update that firewall. PAN-OS 8.0 was EoL way back on October 31st of 2019.</P><P><A href="https://wordle.onl" target="_self"><FONT size="1 2 3 4 5 6 7" color="#FFFFFF">Wordle</FONT></A></P><P>As to your question, macOS recently had a number of certificate modifications that changed the default validity to 398 days.&nbsp;<A href="https://support.apple.com/en-us/HT211025" target="_blank" rel="noopener">https://support.apple.com/en-us/HT211025</A></P><HR /></BLOCKQUOTE><P>Thanks! I will work on it.</P> Thu, 03 Mar 2022 09:05:24 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-client-with-panos8/m-p/470070#M102987 selinaclay 2022-03-03T09:05:24Z