topic Re: Cisco Systems VPN Adapter in General Topics

Cisco Systems VPN Adapter

bcsgroup — Thu, 26 Jan 2012 06:40:12 GMT

Hi,

I see there is now support for Cisco Systems VPN Adaper however I am trying to figure out what exactly is supported am I now able to connect to the firewall via cisco IPSEC VPN from the Cisco VPN Client software or is this support for something else?

I ask as we have engineers that connect to many sites and global rotect is not geared this way.

Thanks,

Re: Cisco Systems VPN Adapter

jdelio — Thu, 26 Jan 2012 19:06:36 GMT

I tried looking through the more recent Release Notes, and I was not able to find much on this.

Do you mind me asking where you saw that referenced? I have a partial answer, but want to wait your answer.

Kind Regards,

Re: Cisco Systems VPN Adapter

bcsgroup — Thu, 26 Jan 2012 20:12:29 GMT

Hi,

In the portal when I click Client Configuration I can add a third party adapter. So was not sure what that was in referance to.

If you have more info on it that would be great. I am still trying to get my head around global protect.

Re: Cisco Systems VPN Adapter

bmorrison — Thu, 26 Jan 2012 21:09:19 GMT

We use Cisco VPN Client 5.0 to connect to PA's. The Portal must be configured with the Cisco VPN Adapter being allowed, and the Gateway needs to use tunnel mode with XAuth (Group Name/Secret). Have you attempted connection with these settings?

Re: Cisco Systems VPN Adapter

jdelio — Thu, 26 Jan 2012 21:51:00 GMT

Thanks BCSGROUP,

It is possible that Cisco IPSEC clients with the XAUTH feature could work, but it is not tested or supported at this time for Windows, Linux or Mac-OS.

The other thing that I heard/read was that the routes for the desntination network may not show up, and as long as you are manually adding in the routes, then you might be OK.

Re: Cisco Systems VPN Adapter

bcsgroup — Fri, 27 Jan 2012 03:30:44 GMT

Thanks for the info.

Any chance I can get some info on how this is done do you just create a portal with these settings or do you have to do the full global protect config?

Re: Cisco Systems VPN Adapter

bmorrison — Fri, 27 Jan 2012 13:37:15 GMT

@bcsgroup:

although not officially supported, the Cisco VPN Client does work. It does not append the mask/gateway to your client, but you should still have no issues connecting to devices within your local network.

You must configure the Portal/Gateway under Network>GlobalProtect and use a tunnel interface placed inside the appropriate security zone. Remember to create/use your certificates appropriately and have them configured for use on the Gateway(certificate) and Portal(CA, and certificate).

Under Portal:

Create a profile using your local interface (external) and local IP that you wish to use for VPN connectivity. Choose the standard certificate that is signed by the CA used in your Client Configuration, and choose your authentication methods. Under Client Configuration setup a profile using your external IP/mask for connectivity with Priority 1 and choose your Root CA.

Under Gateway:

Ensure that you have tunnel mode chosen and checked Enable IPSec, check Enable X-Auth Support (verify group name and group password), and check Skip Auth on IKE Rekey.

Choose your external Tunnel Gateway Interface and Address used for the VPN/Portal, and under Client configuration make sure you have your DNS, VPN IP-Pool, and Access Route configured.

under Policies>Security:

Ensure that you have a rule above any blocking statements that allow ipsec, ike, ssl, web-browsing, and ciscovpn applications to your VPN Gateway IP.

Using Cisco VPN Client:

setup the connection profile with the Gateway IP, group name, and group password. Connect and enter your credentials.

If you have any issues, enter the log responses here.

Re: Cisco Systems VPN Adapter

BLepenik — Thu, 19 Apr 2012 11:41:32 GMT

Hi,

I also configured PA to work with CISCO VPN Client and it works OK. The only problem is that the connection get expired after one hour and the client must reconnect. I can not find the setting to change this expiration time. Do you have any idea how to chang this life time ?

Re: Cisco Systems VPN Adapter

singersit — Mon, 23 Apr 2012 10:25:27 GMT

Hi,

I have managed to configure the Cisco VPN client to work along-side our PA firewalls.

Much better client than Global Protect as it behaves like it should and works with corporate proxy settings as expected!

Thanks for the info.

Re: Cisco Systems VPN Adapter

wscmtts — Mon, 23 Apr 2012 14:09:56 GMT

lancom,

which PAN-OS version? This bug was fixed in 4.0.8.

33542 – SSL VPN user to IP mappings are being lost after about an hour in an HA configuration when the mappings do not contain information. Issue due to idle timeout and maximum ttl not matching the expiration ttl of the SSL VPN connections.

Re: Cisco Systems VPN Adapter

BLepenik — Mon, 23 Apr 2012 15:43:56 GMT

wscmtts,

I have PANOS 4.1.2 and this is not the same problem. I configured Gateway with IPSec and X_Auth support. As client I use CISCO VPN client 5 which support only IPSec VPN connections. When I open "More Users Info" window to see active connection a have a LIfetime of connection set to 3660 sec. When I configured gateway I set login lifetime parameter to 24 hours. I also get an System log message that IPSec key has expired. I just do not know where I can change this parameter.

Re: Cisco Systems VPN Adapter

licenselu — Thu, 26 Jul 2012 06:55:08 GMT

Hello lancom,

Did you find a solution to the lifetime timer (3660 sec).

I run into the same issue...

Regards,

Hedi

Re: Cisco Systems VPN Adapter

BLepenik — Thu, 26 Jul 2012 07:22:08 GMT

Hi,

I still have an open case on this matter. We find out that it is the same problem with iPad nativ client which is supported by Palo Alto.

So i'm waiting for a response from support team.

Re: Cisco Systems VPN Adapter

u14441 — Tue, 14 Aug 2012 15:43:19 GMT

Hi Iancom,

If you hear back can you leave a post, as I am having the same issue!

Thanks

Re: Cisco Systems VPN Adapter

enkim — Mon, 08 Oct 2012 10:57:28 GMT

does your case close and get a workaroud?

could you please share a solution?

Re: Cisco Systems VPN Adapter

steve.chupack — Thu, 18 Oct 2012 15:48:42 GMT

Bump. Same problem here, PA-2050, version 4.1.9. I have tried all the suggestions in the forum, but connections from Android and Linux devices timeout after about an hour.

In the logs, I see this:

IPSec key installed. Installed SA: 65.183.159.2[4500]-24.218.166.37[4500] SPI:0x8CB61A86/0x73498191 lifetime 3300 Sec lifesize unlimited

followed by (surprise, surprise!) about 3300 seconds later. 😉

IKE phase-1 SA is expired SA: 65.183.159.2[4500]-24.218.166.37[4500] cookie:ffe6e33d5c27a2f5:6253cd787672d842.

This is really a shame, because the connection works flawlessly, but in our environment timing out and having to manually reconnect isn't going to fly.

Re: Cisco Systems VPN Adapter

BeyondTrust — Fri, 23 Aug 2013 00:28:32 GMT

Hi,

I tried everything you mentioned and I can connect using iOS with no problem. For the life of me, I can't get the Cisco VPN client to even connect, no response from peer. The one confusing me is the security policy rule you mentioned. Would it be from untrust to untrust as far as the zones since the interface IP is in the untrust zone?