How Can IP Overlaps be Prevented with GlobalProtect

Printer Friendly Page

Issue

When a remote user connects to the corporate network with GlobalProtect, the computer will be assigned an IP address from the pool configured on the gateway. It is possible that this IP address overlaps the subnet that the workstation is already in, which will cause issues.

For example: A remote employee is connecting from a hotel room where the IP address received locally was in the 10.0.0.0/8 range. The IP pool available for GlobalProtect clients is 10.1.1.0/24. This will cause issues since the IP pool is part of the local subnet.

In this case, the following error is generated in System logs on the firewall: "Assign Private IP address failed".

 

Resolution

The recommended solution for this issue is to create a new IP pool in a different subnet and leave that new pool lower on the list. IP pools are used from the top down, but if the client is in a subnet that conflicts with the first IP pool, the firewall will assign an IP address from the second pool automatically.

7-19-2012 12-35-05 PM.png

owner: tpiens

Tags (4)
Comments

Hi!

I created 2 pools (10.0.0/24 and 172.30.0/24), but it starts to ignore first one! Always assign from second one

Ver 6.0.0

Any ideas?

Thank you!

How does the firewall know what subnet mask to assign for a range, if there is not one specified? Is there a way to specify it? E.g. for a range 10.1.1.10-10.1.1.20 when you want a class C mask.

instead of using 2 IP Addresses pools, has anyone thought about address in RFC 5735, for example 198.18.0.0/15 

Yes, this article helped to identify the issue with the Global Protect user who was using the same subnet .