https://live.paloaltonetworks.com/t5/general-topics/global-protect-issue-with-bgp-routing-configuration/m-p/257507#M73043 <P>Routing is the most common issue I see for this symptom.&nbsp;Are you doing source-NAT for your GlobalProtect clients?</P><P>&nbsp;</P><P>Recall that the gateway config on the firewall defines the source IP pools for your clients, and assigns them based on that. If you are not doing NAT, then you'll just need to ensure that the networks you're trying to reach understand that they have to send the replies back to the firewall. If there's a more general/broad route on those networks' gateways, you'll need to use a more specific route for your GP clients source pool.</P> Fri, 12 Apr 2019 21:24:05 GMT gwesson 2019-04-12T21:24:05Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-issue-with-bgp-routing-configuration/m-p/257462#M73031 <P>Hi All,</P><P>&nbsp;</P><P>I have configured Global Protect and I can successfully connect. My Palo Altos are configured to peer and route via BGP which is working without issue.</P><P>&nbsp;</P><P>My problem is I cannot reach anything once I am connected. I need at access two address ranges. From the CLI of the Palo I can ping the gateways of the networks I need to reach via the GlobalProtect connections. I cannot ping when connected via global protect.</P><P>&nbsp;</P><P>What I have noticed is that if I look at the more runtime stats in the virtual routers I can see the client pool subnet in the route table on interface Tunnel but not in the Forwarding table.</P><P>&nbsp;</P><P>Any ideas?</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Adrian</P> Fri, 12 Apr 2019 17:28:42 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-issue-with-bgp-routing-configuration/m-p/257462#M73031 a.jones 2019-04-12T17:28:42Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-issue-with-bgp-routing-configuration/m-p/257507#M73043 <P>Routing is the most common issue I see for this symptom.&nbsp;Are you doing source-NAT for your GlobalProtect clients?</P><P>&nbsp;</P><P>Recall that the gateway config on the firewall defines the source IP pools for your clients, and assigns them based on that. If you are not doing NAT, then you'll just need to ensure that the networks you're trying to reach understand that they have to send the replies back to the firewall. If there's a more general/broad route on those networks' gateways, you'll need to use a more specific route for your GP clients source pool.</P> Fri, 12 Apr 2019 21:24:05 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-issue-with-bgp-routing-configuration/m-p/257507#M73043 gwesson 2019-04-12T21:24:05Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-issue-with-bgp-routing-configuration/m-p/257668#M73102 <P>Thanks. After a weekend of looking I resolved this on the connecting router. It seems there was some diverse routing going on so the default gateway was pointing to another path. Once I removed this other path and tidied the config the expected default route displayed as expected and I had routing.</P><P>&nbsp;</P><P>Nothing as good as taking over someones configuration it seems.</P><P>&nbsp;</P><P>Thanks for the advice.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Adrian</P> Tue, 16 Apr 2019 06:46:49 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-issue-with-bgp-routing-configuration/m-p/257668#M73102 a.jones 2019-04-16T06:46:49Z