How Can IP Overlaps be Prevented with GlobalProtect

Printer Friendly Page


When a remote user connects to the corporate network with GlobalProtect, the computer will be assigned an IP address from the pool configured on the gateway. It is possible that this IP address overlaps the subnet that the workstation is already in, which will cause issues.

For example: A remote employee is connecting from a hotel room where the IP address received locally was in the range. The IP pool available for GlobalProtect clients is This will cause issues since the IP pool is part of the local subnet.

In this case, the following error is generated in System logs on the firewall: "Assign Private IP address failed".



The recommended solution for this issue is to create a new IP pool in a different subnet and leave that new pool lower on the list. IP pools are used from the top down, but if the client is in a subnet that conflicts with the first IP pool, the firewall will assign an IP address from the second pool automatically.

7-19-2012 12-35-05 PM.png

owner: tpiens

Tags (4)


I created 2 pools (10.0.0/24 and 172.30.0/24), but it starts to ignore first one! Always assign from second one

Ver 6.0.0

Any ideas?

Thank you!

How does the firewall know what subnet mask to assign for a range, if there is not one specified? Is there a way to specify it? E.g. for a range when you want a class C mask.

instead of using 2 IP Addresses pools, has anyone thought about address in RFC 5735, for example 

Yes, this article helped to identify the issue with the Global Protect user who was using the same subnet .