Cisco IPSEC VPN client connecting to PAN 4.1

Reply
Highlighted
Not applicable

Cisco IPSEC VPN client connecting to PAN 4.1

Hi folks,

there were no way to establish a ipsec connection between a Cisco VPN client and PAN. I was "inspired" by the globalprotect guide but wasn't enought.

  • At the cisco vpn client side, I had configured just the ip address, the group and pwd, and nat-t.
  • At the PAN side, I had configured the globalprotect portal, the gateway(using the third-party option for cisco vpn client), and the ike gateway.

I had a computer at the same subnet than the "outside" interface who has the portal and the gateway published. So I checked the option to be able to connect even to the local lan when the vpn is up.

BUT, the main issue is that there's no trace for the ipsec traffic at the Paloalto. I'm not able to see the dropped traffic at PAN or any kind of answer at the cisco vpn client.

Could you help me to find the way to get connected? Thank you guys,

RobClav

By the way, I should to use the Cisco client in order to avoid a massive client migration at xmas time.

Not applicable

Re: Cisco IPSEC VPN client connecting to PAN 4.1

I found a Bug related to the 4.1 version. So I go througt a downgrade to 4.0.7.

Hth,

RobClav

Not applicable

Re: Cisco IPSEC VPN client connecting to PAN 4.1

Hello,

On 4.1.7 is working for me.

Not applicable

Re: Cisco IPSEC VPN client connecting to PAN 4.1

I can be connected but the client has been disconnected 1 hour later.

I opened a case and the client is not support by Palo Alto Networks.

There is an IKE exchange and the client does not support it so you will be disconnected.

Not applicable

Re: Cisco IPSEC VPN client connecting to PAN 4.1

Jonathan, did you ever resolv this?

As far as I can see, the problem arises when there is a rekey for the IPSEC tunnel.

I use aggressive mode where the Cisco ISR is always initiator since it has a dynamic IP adress via DHCP.

In the debugs on the Cisco I get the feeling that it is an issue with ISAKMP.

It does 5 retries ar rekeying then takes down the tunnel interface and sets it up again.

Not applicable

Re: Cisco IPSEC VPN client connecting to PAN 4.1

Finally, i installed GlobalProtect for my customer because there is no issue.

The official support told me that the PAN firewall does not support the rekey with the Cisco client

Not applicable

Re: Cisco IPSEC VPN client connecting to PAN 4.1

I see.

I missunderstood.

Thought the problem was with a site to site VPN.

Regards, Nils

L1 Bithead

Re: Cisco IPSEC VPN client connecting to PAN 4.1

I'm having the same issue with the connection being dropped when trying to establish a new IPSEC SA or IKE rekey.

Unfortunately I can't use GlobalProtect because it plays havoc with our OTP 2-factor authentication. This happens with different clients: ShrewSoft VPN, built-in OS X and from what users tell me the iOS client too.

Very frustrating!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!