topic Re: global protect remote vpn unable to reach internal network? in General Topics

global protect remote vpn unable to reach internal network?

chuckles — Mon, 13 May 2019 21:38:27 GMT

im having big problem , after my remote vpn connects i cannot reach my internal network even though my core switch is directly connected to palo alto , i checked i set the access range for the vpn for 0.0.0.0/0 and i set a security rule from vpn zone to inside zone , also i can ping the inside interface on the firewall itself but not the directly connected core switch , when i check the traffic under monitor it all shows "aged out" , i even set a ip route to the vpn ip pool pointing to the inside of the firewall but with no use , im at a lose here

Re: global protect remote vpn unable to reach internal network?

OtakarKlier — Mon, 13 May 2019 21:52:46 GMT

Hello,

Its a routing issue from the sounds of it. In the switch make sure it has a route to the PAN regarding the VPN subnet. Also in the PAN make sure you have routes for the VPN subnet as well.

Regards,

Re: global protect remote vpn unable to reach internal network?

chuckles — Mon, 13 May 2019 22:05:40 GMT

the switch can reach the inside interface of the PAN as the inside network can reach the internet , but i dont understand how do i make route in the pan for the vpn subnet? like the vpn ip pool have no interface? do you mean like give the tunnel interface an ip address in the same vpn ip pool addresses and set a static route for the vpn ip pool through the tunnel ip address?

Re: global protect remote vpn unable to reach internal network?

Chacko42 — Tue, 14 May 2019 07:01:11 GMT

@chuckles: The GlobalProtect gateway is related to the vpn tunnel interface and so are the routes for the client ip pools.

You can do a traceroute from the switch (or a client behind the switch) to a vpn client and vice versa.

Then you got a clue, where the packets are misrouted.

You will have a transfer network between PA and your coreswitch - the transfernet address of the PA is the next hop for the VPN network from router view.

Do you use different virtual routers in your PA?

Re: global protect remote vpn unable to reach internal network?

xuserjam — Sun, 25 Jul 2021 08:56:00 GMT

Can somebody check this?

admin@PA850-FW1(active)> show session id 117862

Session 117862

c2s flow:
source: 10.0.1.51 [SNS_VPN]
dst: 10.0.0.2
proto: 1
sport: 1 dport: 12088
state: INIT type: FLOW
src user: vpn_user1
dst user: unknown

s2c flow:
source: 10.0.0.2 [SNS Trust]
dst: 10.0.1.51
proto: 1
sport: 12088 dport: 1
state: INIT type: FLOW
src user: unknown
dst user: vpn_user1
pbf rule: Web Access 1

start time : Sun Jul 25 13:27:24 2021
timeout : 6 sec
total byte count(c2s) : 74
total byte count(s2c) : 74
layer7 packet count(c2s) : 1
layer7 packet count(s2c) : 1
vsys : vsys1
application : ping
rule : GPZone_to_SNS_Zone
service timeout override(index) : False
session to be logged at end : True
session in session ager : False
session updated by HA peer : False
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : True
session terminate tunnel : False
captive portal session : False
ingress interface : tunnel.1
egress interface : ae1
session QoS rule : N/A (class 4)
tracker stage firewall : Aged out
end-reason : aged-out

What I am missing here?
I can ping internal (trust) PA interface IP (10.0.0.254) from VPN connected host, but any host from the 10.0.0.x network is unreachable. 10.0.0.254 is the default GW.

Re: global protect remote vpn unable to reach internal network?

Remo — Sun, 25 Jul 2021 11:30:14 GMT

@xuserjam

Do you see arp entries for these hosts in the 10.0.0.0/24 subnet on the firewall? Do these IPs respond to ping? Are you able to ping these IPs directly from the firewall?