topic trouble with GRE tunnel to Netskope in General Topics

trouble with GRE tunnel to Netskope

1treelanedrv — Tue, 09 Jul 2024 20:34:20 GMT

Scenario: Panorama managed VM-700s. 10.2.9-h1. using template stack. Netskope is a cloud web proxy.

We setup new tunnel interface, GRE tunnel, static route, network monitor, allow rule, no-NAT rule, and PBF. We use a PBF because Netskope requires it.

Clients don't go down the tunnel. I can't ping the probe IP from the clients nor from the firewall using ping source [tunnel_IP] host [probe_IP]

If I enable Keep Alive the tunnel goes down because I can't ping the probe IP.

Coworkers, Netskope support, Palo support, and a 3rd party consultant can't find anything wrong.

Any known gotchas with this? Troubleshooting ideas?

Re: trouble with GRE tunnel to Netskope

1treelanedrv — Wed, 17 Jul 2024 16:25:52 GMT

Netskope escalated the ticket and said I should change the static route destination to their public IP. but no change in the problem. New drawing attached.

Keep in mind we have the Keep Alives disabled because if they are enabled the Tunnel interfaces goes DOWN.

We then disabled the PBF Rule Monitoring option, and then the PBF rules goes UP.

At that point, the test client started hitting the PBF, but no websites are working. Packet Capture shows no return traffic. Netskope then said it's a Palo problem. Palo ticket is still open and pcaps are being looked at.

Re: trouble with GRE tunnel to Netskope

1treelanedrv — Tue, 30 Jul 2024 13:44:39 GMT

The solution was to create an additional No-NAT rule. We already had No-NAT from our test clients to Any destination with interface being the tunnel.1.

However, the packet diagnostics found the need to have an inbound rule from Netskope's Peer IP to our public interface Source IP. Untrust to untrust zone. Any service (because GRE is a protocol not available for selection). And targeting that Ethernet1/1 interface.

Inbound: Netskope Peer (4.1.1.4) to Palo Ethernet 1/1 (3.1.1.3). Zone untrust to untrust. Any service. interface Eth1/1.
Last piece to allow tunnel traffic inside.

Outbound: Inside Test Clients to Any destination. Zone trusted to untrust. Service tcp 80/443. interface Tunnel.1.

Re: trouble with GRE tunnel to Netskope

jzsaiz — Wed, 14 Aug 2024 08:01:14 GMT

Hello,

We are in a very similar situation to the one you describe in your case. After applying the "No-NAT" solution, were you able to re-enable the Keep Alives in the tunnels?

Regards

Re: trouble with GRE tunnel to Netskope

1treelanedrv — Wed, 14 Aug 2024 14:32:45 GMT

Yes, we were able to enable Keep Alives on the GRE Tunnels and the PBF Monitor. Funny thing is, I have since disabled the inbound NAT rule and the tunnel stays up. I also engaged a new consultant and he said he's never heard of that being necessary to get the tunnel working. I found the only way I could break the tunnel was by deleting the GRE Tunnel at Panorama. Disabling it wasn't enough. Kinda making me crazy.

I'd love to hear if that solves your problem. Let us know.