there were no way to establish a ipsec connection between a Cisco VPN client and PAN. I was "inspired" by the globalprotect guide but wasn't enought.
I had a computer at the same subnet than the "outside" interface who has the portal and the gateway published. So I checked the option to be able to connect even to the local lan when the vpn is up.
BUT, the main issue is that there's no trace for the ipsec traffic at the Paloalto. I'm not able to see the dropped traffic at PAN or any kind of answer at the cisco vpn client.
Could you help me to find the way to get connected? Thank you guys,
By the way, I should to use the Cisco client in order to avoid a massive client migration at xmas time.
I can be connected but the client has been disconnected 1 hour later.
I opened a case and the client is not support by Palo Alto Networks.
There is an IKE exchange and the client does not support it so you will be disconnected.
Jonathan, did you ever resolv this?
As far as I can see, the problem arises when there is a rekey for the IPSEC tunnel.
I use aggressive mode where the Cisco ISR is always initiator since it has a dynamic IP adress via DHCP.
In the debugs on the Cisco I get the feeling that it is an issue with ISAKMP.
It does 5 retries ar rekeying then takes down the tunnel interface and sets it up again.
Finally, i installed GlobalProtect for my customer because there is no issue.
The official support told me that the PAN firewall does not support the rekey with the Cisco client
I'm having the same issue with the connection being dropped when trying to establish a new IPSEC SA or IKE rekey.
Unfortunately I can't use GlobalProtect because it plays havoc with our OTP 2-factor authentication. This happens with different clients: ShrewSoft VPN, built-in OS X and from what users tell me the iOS client too.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!