topic Remote VPN gateway - IKE intitiator drop on Palo FW in General Topics

Remote VPN gateway - IKE intitiator drop on Palo FW

PA_nts — Thu, 14 Nov 2024 10:17:46 GMT

Hi all,

so a weird issue..

i have a pa1410 with multiple VPNs all working happy days.

I have one client with a linux software based FW (cant recall fw vendor)

we are using same ike/ipsec settings both ends all is good..

if i initiate vpn (test vpn ike-sa gateway xxxx) from Palo side, the VPN comes up and all is working..

however if client initiates phase1 nothing happens..

Palo FW packet capture shows their ike being dropped on the Palo for some reason and cannot figure out why. nothing in the logs either with session start enabled on my deny rules for tshooting this issue.

in ikemgr.log i also see nothing..

I have tried setting my ike gateway in passive mode but no luck also.

any ideas?

thanks in adv

Re: Remote VPN gateway - IKE intitiator drop on Palo FW

jmckinzie — Thu, 14 Nov 2024 19:07:07 GMT

Hello, I have found out that the Linux GP client has issues with it at times. I have suggested having the Linux users use "openConnect" which is a free download software. Below is the way that we have the users log into the VPN on it and it seems to work without any issues.

Just need to see what way works for you on it.

sudo apt install globalprotect-openconnect

sudo openconnect --protocol=gp -u username@<Domain Info> vpn.*.*/gateway or
sudo openconnect --protocol=gp -u username vpn.*.*/gateway

Re: Remote VPN gateway - IKE intitiator drop on Palo FW

PA_nts — Fri, 15 Nov 2024 06:13:08 GMT

Forgot to add.. this is related to S2S VPN and not globalprotect ssl vpn.

Re: Remote VPN gateway - IKE intitiator drop on Palo FW

CosminM — Fri, 15 Nov 2024 06:24:25 GMT

Hello @PA_nts

I suggest you to run a flow basic debuging: https://live.paloaltonetworks.com/t5/general-articles/tips-amp-tricks-flow-basic-debugging/ta-p/545999

Re: Remote VPN gateway - IKE intitiator drop on Palo FW

Edsnow — Fri, 15 Nov 2024 06:39:08 GMT

In the packet capture if you are seeing the packets are captured on the drop stage.

you can see the drop reasons using global counters. refer below kbs

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXOCA0

Re: Remote VPN gateway - IKE intitiator drop on Palo FW

PA_nts — Fri, 15 Nov 2024 08:47:39 GMT

thanks for feedback.. issue fixed.

Did the global filters and found the following drop reason...

flow_policy_nat_land 1 0 drop flow session Session setup: source NAT IP allocation result in LAND attack

Then looked at my NAT rules and found my DNAT to be misconfiguration.. ouch 🙂

it had src zone set to 'any' with source net 'any' to dst zone 'untrust' zone and hide nat behind egress interface IP..

changed the sources from any to stipulate my internal network zones and networks, did a commit and issue solved.

cheers all!

Re: Remote VPN gateway - IKE intitiator drop on Palo FW

Edsnow — Sat, 30 Nov 2024 16:36:27 GMT

Please accept as a solution if the reply resolve the issue.