topic Re: SSL VPN Problem in General Topics

SSL VPN Problem

peterpan13888 — Mon, 30 Sep 2013 13:36:03 GMT

Hi all,

I have configured SSL VPN on my Palo Alto and it is working properly (e.g., internal websites, ssh, rdp, etc remotely) except accessing our corporate shared folder on our Windows server. However, this problem does not happen to our existing SSL VPN product that I am supposed to replace. Do I miss any steps or need additional configurations?

Thanks!

Peter Man

Re: SSL VPN Problem

Retired Member — Mon, 30 Sep 2013 13:40:38 GMT

Check your windows server's routing table and be sure traffic is coming back to paloalto so that clients can access from vpn.

you can debug with traceroute and packet capture

Also check if vpn user can send traffic to that server or not ?

can they access to other servers on the same zone ?

Re: SSL VPN Problem

Oleksandr — Mon, 30 Sep 2013 16:10:16 GMT

Check your "Application" for msrpc and netbios-ss in your Policy rules

Re: SSL VPN Problem

mbutt — Mon, 30 Sep 2013 17:10:06 GMT

Hi,

You will need to verify if the application needed are being allowed in the security policy.

To further narrow down the issue you can use the following commands to debug the issue.

1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:

Navigate to Monitor--Packet Capture

Click 'Manage Filters'

Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )

Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)

2. Setup up the captures

Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)

3. Enable filters and captures

debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture on

4. open 2 CLI windows

on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)

show counter global filter packet-filter yes delta yes

on the 2nd window run the following command to look at he sessions

show session all filter source <ip address> destination <ip address>

After your test has been done stop all the captures and filters and see if global counter show you anything why it is dropping the traffic or if you have getting pcap with drop stage.

This will help you narrow down the issue.

Let us know if this helps you resolve the issue.

Thanks

Numan

Re: SSL VPN Problem

peterpan13888 — Mon, 07 Oct 2013 21:22:13 GMT

I think it is "any" application