https://live.paloaltonetworks.com/t5/general-topics/third-party-vpn-clients-with-panos-7-0-3/m-p/68965#M40109 <P>I was curious if anybody else has seen this issue, or could perhaps try to duplicate it.</P> <P>&nbsp;</P> <P>I have a problem with third party VPN clients after upgrading from PanOS 6.1.6 to 7.0.3 on our PA-3020s.&nbsp; Specifically, the built-in IPSec VPN client on Mac OSX (10.11/el capitan) and iOS (9.1).&nbsp; They can connect, but a simple ping test shows packet loss near 50%.</P> <P>&nbsp;</P> <P>I've been able to duplicate with 4 different clients and 2 different sites.&nbsp; Strangely, I can NOT duplicate the problem when connecting to sites with PA-200s.&nbsp; All sites are setup as an HA pair.&nbsp; All firewalls are running 7.0.3</P> <P>&nbsp;</P> <P>I was also not able to duplicate the issue with the ShrewSoft VPN client on Windows 7.</P> <P>&nbsp;</P> <P>Global Protect client works fine on the OSX devies.</P> <P>&nbsp;</P> <P>Packet captures on the firewall don't indicate any issue.&nbsp; All packets seem to traverse properly.</P> <P>&nbsp;</P> <P>The problem started right after the PanOS upgrade.</P> <P>&nbsp;</P> <P>I have an open support case with PaloAlto, but I wanted to see if anybody in the forums has seen this.&nbsp; I noticed the other threads indicating problems with 7.0.x, but nothing related to this.</P> <P>&nbsp;</P> <P>client (version) + site (model) = result<BR />---<BR />Mac OSX (10.11) + site_A (PA-3020) = problem<BR />iOS (9.1) + site_A (PA-3020) = problem<BR />Mac OSX (10.11) + site_B (PA-3020) = problem<BR />iOS (9.1) + site_B (PA-3020) = problem<BR /><BR />Mac OSX (10.11) + site_C (PA-200) = ok<BR />iOS (9.1) + site_C (PA-200) = ok<BR />Mac OSX (10.11) + site_D (PA-200) = ok<BR />iOS (9.1) + site_D (PA-200) = ok<BR /><BR />Windows 7 w/ Shrew Soft VPN Client (2.1.7) + site_A (PA-3020) = ok<BR />Windows 7 w/ Shrew Soft VPN Client (2.1.7) + site_B (PA-3020) = ok<BR />Windows 7 w/ Shrew Soft VPN Client (2.1.7) + site_C (PA-200) = ok</P> <P>&nbsp;</P> Thu, 03 Dec 2015 15:51:51 GMT alowther_chatham 2015-12-03T15:51:51Z https://live.paloaltonetworks.com/t5/general-topics/third-party-vpn-clients-with-panos-7-0-3/m-p/68965#M40109 <P>I was curious if anybody else has seen this issue, or could perhaps try to duplicate it.</P> <P>&nbsp;</P> <P>I have a problem with third party VPN clients after upgrading from PanOS 6.1.6 to 7.0.3 on our PA-3020s.&nbsp; Specifically, the built-in IPSec VPN client on Mac OSX (10.11/el capitan) and iOS (9.1).&nbsp; They can connect, but a simple ping test shows packet loss near 50%.</P> <P>&nbsp;</P> <P>I've been able to duplicate with 4 different clients and 2 different sites.&nbsp; Strangely, I can NOT duplicate the problem when connecting to sites with PA-200s.&nbsp; All sites are setup as an HA pair.&nbsp; All firewalls are running 7.0.3</P> <P>&nbsp;</P> <P>I was also not able to duplicate the issue with the ShrewSoft VPN client on Windows 7.</P> <P>&nbsp;</P> <P>Global Protect client works fine on the OSX devies.</P> <P>&nbsp;</P> <P>Packet captures on the firewall don't indicate any issue.&nbsp; All packets seem to traverse properly.</P> <P>&nbsp;</P> <P>The problem started right after the PanOS upgrade.</P> <P>&nbsp;</P> <P>I have an open support case with PaloAlto, but I wanted to see if anybody in the forums has seen this.&nbsp; I noticed the other threads indicating problems with 7.0.x, but nothing related to this.</P> <P>&nbsp;</P> <P>client (version) + site (model) = result<BR />---<BR />Mac OSX (10.11) + site_A (PA-3020) = problem<BR />iOS (9.1) + site_A (PA-3020) = problem<BR />Mac OSX (10.11) + site_B (PA-3020) = problem<BR />iOS (9.1) + site_B (PA-3020) = problem<BR /><BR />Mac OSX (10.11) + site_C (PA-200) = ok<BR />iOS (9.1) + site_C (PA-200) = ok<BR />Mac OSX (10.11) + site_D (PA-200) = ok<BR />iOS (9.1) + site_D (PA-200) = ok<BR /><BR />Windows 7 w/ Shrew Soft VPN Client (2.1.7) + site_A (PA-3020) = ok<BR />Windows 7 w/ Shrew Soft VPN Client (2.1.7) + site_B (PA-3020) = ok<BR />Windows 7 w/ Shrew Soft VPN Client (2.1.7) + site_C (PA-200) = ok</P> <P>&nbsp;</P> Thu, 03 Dec 2015 15:51:51 GMT https://live.paloaltonetworks.com/t5/general-topics/third-party-vpn-clients-with-panos-7-0-3/m-p/68965#M40109 alowther_chatham 2015-12-03T15:51:51Z https://live.paloaltonetworks.com/t5/general-topics/third-party-vpn-clients-with-panos-7-0-3/m-p/68967#M40111 <P>hello,</P> <P>&nbsp;</P> <P>I don't know if we have the same issue, I also experienced some other bug with GP and because of them I had to downgrad to 6.1.8. But thank you for the information, this would be another reason for not upgrading <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> <P>Do you configured your globalprotect gateways on loopback interfaces? if yes, then the problem might be the known issue 69458: Traffic for third-party IPSec clients is not routed correctly when using a loopback interface for a GlobalProtect gateway.</P> <P>Workaround: Use a physical interface instead of a loopback interface as the GlobalProtect gateway for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.</P> Thu, 03 Dec 2015 16:08:12 GMT https://live.paloaltonetworks.com/t5/general-topics/third-party-vpn-clients-with-panos-7-0-3/m-p/68967#M40111 Remo 2015-12-03T16:08:12Z https://live.paloaltonetworks.com/t5/general-topics/third-party-vpn-clients-with-panos-7-0-3/m-p/68972#M40115 <P>Thanks for the tip.&nbsp; The gateway is configured on a physical interface, so that bug wouldn't seem to apply.</P> Thu, 03 Dec 2015 16:56:00 GMT https://live.paloaltonetworks.com/t5/general-topics/third-party-vpn-clients-with-panos-7-0-3/m-p/68972#M40115 alowther_chatham 2015-12-03T16:56:00Z