https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15310#M11250 <HTML><HEAD></HEAD><BODY><P>In the GUI, Virtual Router --&gt; Static Routes</P><P>Destination 10.2.0.0/16 and the tunnel interface, metric 10, next hop none.</P><P></P><P>Traceroute times out without a list of hops.</P></BODY></HTML> Fri, 12 Jul 2013 20:59:40 GMT God 2013-07-12T20:59:40Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15302#M11242 <HTML><HEAD></HEAD><BODY><P>We have a SSL VPN setup through the Global Protect Gateway. The SSL-VPN tunnel is in its own zone and I have an any - any rule for this zone to my trusted zone. I am able to pass traffic to one interface in a trusted zone but I am not able to pass traffic to another interface in the trusted zone. What am I missing?</P></BODY></HTML> Fri, 12 Jul 2013 19:32:56 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15302#M11242 God 2013-07-12T19:32:56Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15303#M11243 <HTML><HEAD></HEAD><BODY><P>are you sure you configured an unused pool for vpn clients ?</P><P>can you share interface ip's of Trust and VR table </P></BODY></HTML> Fri, 12 Jul 2013 19:40:01 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15303#M11243 Retired Member 2013-07-12T19:40:01Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15304#M11244 <HTML><HEAD></HEAD><BODY><P>We are using an unused pool for vpn clients. interface eth1/2, eth1/2.161, and eth1/4 are all in the trust network. I can get to eth2 but not the others.</P><P></P><P>&nbsp;&nbsp; interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; id&nbsp;&nbsp;&nbsp; vr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; address</P><P>&nbsp; - ---------&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; --&nbsp;&nbsp;&nbsp; --&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -------</P><P>&nbsp; * tunnel&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp; default</P><P>&nbsp; * ethernet1/1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 16&nbsp;&nbsp;&nbsp; default&nbsp; 199.96.116.59/28</P><P>&nbsp; * ethernet1/2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 17&nbsp;&nbsp;&nbsp; default&nbsp; 192.168.11.4/24</P><P>&nbsp; * ethernet1/4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 19&nbsp;&nbsp;&nbsp; default&nbsp; 10.2.100.255/16</P><P>&nbsp; * ethernet1/2.161&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 259&nbsp;&nbsp; default&nbsp; 192.168.161.6/24</P><P>&nbsp; * default/i3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 61441 default</P></BODY></HTML> Fri, 12 Jul 2013 19:53:35 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15304#M11244 God 2013-07-12T19:53:35Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15305#M11245 <HTML><HEAD></HEAD><BODY><P>so you mean although you have interface management profile with ping(if not do that for troubleshoot)</P><P>you can not ping any except eth1/2</P></BODY></HTML> Fri, 12 Jul 2013 20:02:36 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15305#M11245 Retired Member 2013-07-12T20:02:36Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15306#M11246 <HTML><HEAD></HEAD><BODY><P>Ok, We are getting somewhere. I can ping eth1/2 and eth1/4 but I cannot ping anything else on the eth1/4 network but I can on the eth1/2 network. Seems like a routing issue somewhere but I don't know where. I added 10.2.0.0/16 to the access route list in the GlobalProtect Gateway client config. I also added 10.2.0.0/16 to the static route table of the tunnel interface.</P></BODY></HTML> Fri, 12 Jul 2013 20:12:38 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15306#M11246 God 2013-07-12T20:12:38Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15307#M11247 <HTML><HEAD></HEAD><BODY><P>what is the vpn pool ?</P></BODY></HTML> Fri, 12 Jul 2013 20:15:33 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15307#M11247 Retired Member 2013-07-12T20:15:33Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15308#M11248 <HTML><HEAD></HEAD><BODY><P>The VPN pool is: 192.168.251.250-192.168.251.252. (I am keeping it small for now).</P></BODY></HTML> Fri, 12 Jul 2013 20:18:05 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15308#M11248 God 2013-07-12T20:18:05Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15309#M11249 <HTML><HEAD></HEAD><BODY><P>"I also added 10.2.0.0/16 to the static route table of the tunnel interface." what do you mean with that</P><P>look for traceroute on the vpn client</P></BODY></HTML> Fri, 12 Jul 2013 20:23:49 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15309#M11249 Retired Member 2013-07-12T20:23:49Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15310#M11250 <HTML><HEAD></HEAD><BODY><P>In the GUI, Virtual Router --&gt; Static Routes</P><P>Destination 10.2.0.0/16 and the tunnel interface, metric 10, next hop none.</P><P></P><P>Traceroute times out without a list of hops.</P></BODY></HTML> Fri, 12 Jul 2013 20:59:40 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15310#M11250 God 2013-07-12T20:59:40Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15311#M11251 <HTML><HEAD></HEAD><BODY><P>Problem resolved. Using multiple gateways outbound to the internet.&nbsp; Thank you for your responses.</P></BODY></HTML> Fri, 12 Jul 2013 21:31:06 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ssl-traffic/m-p/15311#M11251 God 2013-07-12T21:31:06Z