topic Re: Native VPN client on android phone in General Topics

Native VPN client on android phone

jdprovine — Thu, 15 Jun 2017 16:16:50 GMT

I recently upgraded my PA 5050 to 7.1.9. Before that users could connect to the VPN could connect via their native VPN client on their android phones and today I got a call saying one user no longer could and it was failing on the encryption. Any ideas?

Re: Native VPN client on android phone

BPry — Thu, 15 Jun 2017 16:34:27 GMT

@jdprovine,

My initial reaction would be to verify that your x-auth setting didn't get reset to default and verify that they are using the proper group name and group password. It could be that the x-auth setting got modified back to it's default state or that their phone is simply misconfigured, since it specifically failed on encryption I would really be looking at verifying that the group name/password match what is actually on the firewall.

Re: Native VPN client on android phone

jdprovine — Thu, 15 Jun 2017 16:37:36 GMT

@BPry

I checked and x-auth is enabled

If it had changed wouldn't it have affected pc native clients too

Re: Native VPN client on android phone

jdprovine — Thu, 15 Jun 2017 16:38:58 GMT

What about skip x-auth on ike rekey would that cause it to fail? and would it cause it to fail on pc native clients and phone clients

Re: Native VPN client on android phone

BPry — Thu, 15 Jun 2017 16:41:52 GMT

@jdprovine,

If you are utilizing the PC's native client then yes. At that point I'm guessing it's something on the users phone if you have native clients connecting elsewhere; I would ask them to clear everything out and follow your setup instructions again, they could have inavertably modified something without realizing it. Another question to ask with an native client is if there device has updated recently, the OEM could have changed something on there end that the PA doesn't like.

Re: Native VPN client on android phone

jdprovine — Thu, 15 Jun 2017 16:44:18 GMT

@BPry

Thing is its a not a regular user but a networking guy LOL. So it probably doesn't have anything to do with the upgrade to the new OS of 7.1.9 on the PA

Re: Native VPN client on android phone

BPry — Thu, 15 Jun 2017 16:50:16 GMT

@jdprovine,

I would say with 98% certainty that this has nothing to do with the update to 7.1.9 if you are having clients utilizing native clients currently without any issue.

Re: Native VPN client on android phone

jdprovine — Thu, 15 Jun 2017 16:51:55 GMT

@BPry

Yes that was my thoughts as well since the release notes never mentioned any changed to the GP

Re: Native VPN client on android phone

Remo — Thu, 15 Jun 2017 17:40:22 GMT

@jdprovine wrote:
@BPry
I checked and x-auth is enabled
If it had changed wouldn't it have affected pc native clients too

Off topic: what OS do the computers have where you are using the native client?

Re: Native VPN client on android phone

jdprovine — Thu, 15 Jun 2017 18:00:53 GMT

@Remo @BPry

For now I only have reports of issues with the native clients on an Iphone and an android phones no word about pc's yet

Re: Native VPN client on android phone

Remo — Thu, 15 Jun 2017 18:23:43 GMT

@jdprovine

I'm really interessted in the OS, just because with windows 10 I was not able to configure it. And the reason after a little troubleshooting was that paloalto does not support strong enough ciphers for windows 10.

Re: Native VPN client on android phone

jdprovine — Thu, 15 Jun 2017 18:27:12 GMT

@Remo

so far I have tried it only on windows 8, I know you cannot configure the native client on windows 10 to work with the PA VPN, I am also going to test on a mac. I was also able to connect with the cisco vpn client and no longer can

Re: Native VPN client on android phone

jdprovine — Thu, 15 Jun 2017 19:26:26 GMT

would the tls version have anything to do with it

Re: Native VPN client on android phone

Remo — Thu, 15 Jun 2017 19:29:15 GMT

I don't think so because the native iOS / Android VPN clients do not connect with an SSL VPN tunnel. They use a plain ipsec vpn connection

Re: Native VPN client on android phone

jdprovine — Thu, 15 Jun 2017 19:40:52 GMT

so could it be a encryption issue something with isakmp

Re: Native VPN client on android phone

Remo — Thu, 15 Jun 2017 19:44:18 GMT

Could be ... Do you may be have something in the system logs when the clients tried to connect? Of if you don't know the connectiontimes: are there other messages which weren't there when a client tried to connect before the upgrade?

Re: Native VPN client on android phone

jdprovine — Thu, 15 Jun 2017 19:47:34 GMT

I do not have anything for the cisco client pre upgrade but I do for the global protect. the big difference seem to be protocol GP uses tls and tcp where the cisco uses iksakmp. the GP looks like it is using a web browser type connection and the cisco as you said a straight ipsec tunnel

Re: Native VPN client on android phone

jdprovine — Thu, 15 Jun 2017 22:12:53 GMT

other issue is that even before the upgrade the mac version of global protect has never worked that is why people are using the native client

Re: Native VPN client on android phone

TranceforLife — Fri, 16 Jun 2017 09:57:14 GMT

Same here. Not able to connect with the native iPhone vpn client connect to the GP-Gateway. I am not passing the P1. P1 is ok but failing on the P2. Doing debug of the connection but still no joy:

2017-06-16 10:48:53.299 +0100 [PNTF]: {1000007: }: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, AGGRESSIVE MODE <====
====> Initiated SA: 55.55.55.55[500]-10.10.10.10.DD[30199] cookie:7b1db97bc6b8fd1d:9cdf9cc1159f2d0f <====
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: FRAGMENTATION
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: RFC 3947
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: CISCO-UNITY
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: DPD
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: Selected NAT-T version: RFC 3947
2017-06-16 10:48:53.303 +0100 [INFO]: {1000007: }: Adding remote and local NAT-D payloads.
2017-06-16 10:48:53.303 +0100 [INFO]: {1000007: }: Hashing 10.10.10.10.DD[30199] with algo #4
2017-06-16 10:48:53.303 +0100 [INFO]: {1000007: }: Hashing 55.55.55.55[500] with algo #4
2017-06-16 10:48:53.303 +0100 [INFO]: {1000007: }: 2 fragments sent, total len 600.
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: Hashing 55.55.55.55[4500] with algo #4
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: NAT-D payload #0 verified
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: Hashing 10.10.10.10.DD[46937] with algo #4
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: NAT-D payload #1 doesn't match
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: NAT detected: PEER
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: reveived INITIAL-CONTACT notification.
2017-06-16 10:48:55.000 +0100 [INFO]: {1000007: }: Sending Xauth request
2017-06-16 10:48:55.000 +0100 [PNTF]: {1000007: }: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, AGGRESSIVE MODE <====
====> Established SA: 55.55.55.55[4500]-10.10.10.10.DD[46937] cookie:7b1db97bc6b8fd1d:9cdf9cc1159f2d0f lifetime 3600 Sec <====
2017-06-16 10:48:55.171 +0100 [INFO]: {1000007: }: GP gateway GP-GW-N domain user () from 10.10.10.10.DD login rtn 2 lifetime 3600
2017-06-16 10:48:55.171 +0100 [PWRN]: {1000007: }: Ignored attribute INTERNAL_ADDRESS_EXPIRY
2017-06-16 10:48:55.172 +0100 [PWRN]: {1000007: }: Ignored attribute UNITY_BROWSER_PROXY
2017-06-16 10:49:11.483 +0100 [INFO]: {1000007: }: IKE ISAKMP KEY_DELETE recvd: cookie:7b1db97bc6b8fd1d:9cdf9cc1159f2d0f.
2017-06-16 10:49:11.505 +0100 [PNTF]: {1000007: }: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, AGGRESSIVE MODE <====
====> Initiated SA: 55.55.55.55[500]-10.10.10.10.DD[30199] cookie:8de69a6a3cddc13f:0b788adbb7e9061e <====
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: FRAGMENTATION
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: RFC 3947
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: CISCO-UNITY
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: DPD
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: Selected NAT-T version: RFC 3947
2017-06-16 10:49:11.506 +0100 [INFO]: {1000007: }: Adding remote and local NAT-D payloads.
2017-06-16 10:49:11.506 +0100 [INFO]: {1000007: }: Hashing 10.10.10.10.DD[30199] with algo #2
2017-06-16 10:49:11.506 +0100 [INFO]: {1000007: }: Hashing 55.55.55.55[500] with algo #2
2017-06-16 10:49:11.566 +0100 [INFO]: {1000007: }: Hashing 55.55.55.55[4500] with algo #2
2017-06-16 10:49:11.566 +0100 [INFO]: {1000007: }: NAT-D payload #0 verified
2017-06-16 10:49:11.566 +0100 [INFO]: {1000007: }: Hashing 10.10.10.10.DD[46937] with algo #2
2017-06-16 10:49:11.566 +0100 [INFO]: {1000007: }: NAT-D payload #1 doesn't match
2017-06-16 10:49:11.566 +0100 [INFO]: {1000007: }: NAT detected: PEER
2017-06-16 10:49:12.000 +0100 [INFO]: {1000007: }: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 55.55.55.55[4500]-10.10.10.10.DD[46937] cookie:7b1db97bc6b8fd1d:9cdf9cc1159f2d0f <====
2017-06-16 10:49:12.000 +0100 [INFO]: {1000007: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 55.55.55.55[4500]-10.10.10.10.DD[46937] cookie:7b1db97bc6b8fd1d:9cdf9cc1159f2d0f <====

Re: Native VPN client on android phone

jdprovine — Fri, 16 Jun 2017 12:42:21 GMT

@TranceforLife

Yes exactly what I am seeing that it is failing before phase 2, not sure what changed in the upgrade to 7.1.9 that would make this happen. What os version are you on? The GP client for mac is not working either does your's?