Bazar IPsec with Xauth RSA issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Bazar IPsec with Xauth RSA issue

L2 Linker

A couple months ago I noticed my VPN on my phone stopeed working. I was originally using CM 12.1 but have since moved to mashmellow touchwiz for my Galaxy S5. Def not phone related as the issue remains, and is the same no matter what phone or OS versino being used and I'll provide some infra info before decussing the issue.

 

I have two ISP, configured GP Portal and Gateway, using their own certs and SSL/TLS profile per gateway/portal.

 

I already discovered that internal host detection is based on having the always on mode vs on-demand. and All users connecting to either portal using GlobalPrtotect on their laptops works perfectly fine.

 

Running PAN OS 7.0.8.

 

The Issue.

 

When I connect to my gateway internally it says it connects perfectly fine. (I have a no NAT rule configured to reach the gateway as normally usering hitting the internet will be NATed to said gateway IP.)

 

If I attempt to connect to teh same gateway via LTE/4G after disabling my WiFi (internal Connection) the VPN connectino will establish perfectly fine. If I choose to connect to another WiFi, giving me a new public IP that I will be comming in from, the VPN connection attempts to connect and simply fails.

 

I attempted the same thing on my other portal, and at first showed signs of the same issue. After playing around a bit more (changing networks not making firewall changes) it seems my secondary gateway our phones connect perfectly fine. Even after changing from cell network to wifi.

 

I decided to look at any differences bewteen them. I couldn't find a single thing. besides them having dedicated tunnel interfaces and seperate subnet for users, but those are suppose to be diffferent per design. I can't see anything that other wise is different. I can't put a finger on this after all the things I could possibly think of to test. The only thing I noticed was I accedently name my gateway for my secondary ISP the same name as my portal and that the cert was checked off as a CA (which isn't techincally correct, that was my mistake, but it still clealry works. Can't see this being the reason as, as i mentioend, VPN on the first portal works fine interanlly, and one instance on the cell network after the fact. but not after changing networks.

 

Anyone having any idea at all what might be the case?

 

I also decided to check the firewall for all active sessions, and did notice that sessions remain "active" after disconnecting my VPN. Is this normal?

2 REPLIES 2

Cyber Elite
Cyber Elite

I can't speak on the other parts of this issue, but the session remaining ative is normal at least for my IPsec tunnel to the remote site. Oddly that IP address changes throughout the day on a regular basis which means that from one tunnel that is setup soley for the remote office I can see four different 'active' sessions to the different IP addresses throughout the day. Eventually they time-out and drop off if the script to kill the tunnel and bring it back up at the end of the day doesn't get to them first. 

Correct I've talked to my other buddy who works for a said network company, who only deploys PA firewalls. And that is normal. However even after talking with this high tiered person neither one of us could find out why this is the case.

 

We even looked at my SPF rules in case they might be routing traffic oddly but non of my SPF rules are set for my public IP that the GP interface is set for. They are for sub networks in the same subnet but have dedicated NAT and SPF rules. These did not seem to be the reason.

 

The oddest part is how intermittent this one gateway is vs the other with pretty much the same settings. I can't think of anything in particular that I might have changed network wise (VRouters, static routes, or zones) that would make it not work. To top it off as I mentioned anyone connected to either Portal/Gateway using the GP app on their laptops works perfectly fine  (unless they happen to connect to  a private network with the exact same internal subnet as my own) but that rarely happens.

 

We event looked at my phones internal IP from my cell network instead of the NATed IP I'd be looking for on my firewall, and sure enough they didn't overlap (which would fail to connect no matter which portal/gateway I specify) So sadly again tats not the case. 

 

To top it off when I check my active sessions when I attempt to connect to the non-working gateway all sessions show exactly the same and active as the working gateway. So I know my firewall isn't blocking anything. (I even did a packet capture and see all the IKE and EAS packets to/from going through perfectly fine. This makes me feel like there most be som kind of bug going on....

 

At least it working on one gateway is better than no gateways. But the task of actually figuring whats going on and causing the failure is boggling my mind!

  • 2116 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!