Cisco IPSEC VPN client connecting to PAN 4.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cisco IPSEC VPN client connecting to PAN 4.1

Not applicable

Hi folks,

there were no way to establish a ipsec connection between a Cisco VPN client and PAN. I was "inspired" by the globalprotect guide but wasn't enought.

  • At the cisco vpn client side, I had configured just the ip address, the group and pwd, and nat-t.
  • At the PAN side, I had configured the globalprotect portal, the gateway(using the third-party option for cisco vpn client), and the ike gateway.

I had a computer at the same subnet than the "outside" interface who has the portal and the gateway published. So I checked the option to be able to connect even to the local lan when the vpn is up.

BUT, the main issue is that there's no trace for the ipsec traffic at the Paloalto. I'm not able to see the dropped traffic at PAN or any kind of answer at the cisco vpn client.

Could you help me to find the way to get connected? Thank you guys,

RobClav

By the way, I should to use the Cisco client in order to avoid a massive client migration at xmas time.

7 REPLIES 7

Not applicable

I found a Bug related to the 4.1 version. So I go througt a downgrade to 4.0.7.

Hth,

RobClav

Hello,

On 4.1.7 is working for me.

Not applicable

I can be connected but the client has been disconnected 1 hour later.

I opened a case and the client is not support by Palo Alto Networks.

There is an IKE exchange and the client does not support it so you will be disconnected.

Not applicable

Jonathan, did you ever resolv this?

As far as I can see, the problem arises when there is a rekey for the IPSEC tunnel.

I use aggressive mode where the Cisco ISR is always initiator since it has a dynamic IP adress via DHCP.

In the debugs on the Cisco I get the feeling that it is an issue with ISAKMP.

It does 5 retries ar rekeying then takes down the tunnel interface and sets it up again.

Finally, i installed GlobalProtect for my customer because there is no issue.

The official support told me that the PAN firewall does not support the rekey with the Cisco client

Not applicable

I see.

I missunderstood.

Thought the problem was with a site to site VPN.

Regards, Nils

I'm having the same issue with the connection being dropped when trying to establish a new IPSEC SA or IKE rekey.

Unfortunately I can't use GlobalProtect because it plays havoc with our OTP 2-factor authentication. This happens with different clients: ShrewSoft VPN, built-in OS X and from what users tell me the iOS client too.

Very frustrating!

  • 5492 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!