This is an obscure problem.
I've got visitors from another company on our network trying to VPN back to their office with Cisco's VPN client to a Cisco ASA appliance. They are unable to connect, randomly. Most of the time, at least one can connect, but never all 5 of them.
All my users (including these visitors) are NAT'd to the same IP address. So all these clients appear to their VPN concentrator as the same IP.
I'm wondering if this might be a NAT issues between Palo Alto and Cisco. Might be way off the mark here but any insight would be helpful.
You are using dynamic ip/port NAT as I think so this should not effect them.
random issues are hard to solve.can you monitor their traffic when they want to connect ?
So that you can try an app override rule for them to look if something change ?
I've taken a packet capture and nothing seems glaringly bad, other than it doesn't work (no RST, no timeouts, just stops). Not sure I follow where you're headed with the app override rule.
I'm with panos on the app override on this one... it's something to at least try. Build an App override for IPSec/IKE traffic (should be UDP 500 and UDP 4500 I believe) and stick it in a rule that allows traffic to the remote ASA, and see if the issues magically go away. It will at least help you narrow down the problem, and prove whether or not the App-ID engine has something to do with the problem you're experiencing.
As an aside, I'm surprised they're not using AnyConnect SSL VPN.
Recommended solution would be to enable NAT-T on clients and ASA.
configure IPSec NAT Transparency on the ASA, VPN clients.
On the ASA,issue the following command
PIX/ASA 7.1 and earlier
pix(config)#isakmp nat-traversal 20
PIX/ASA 7.2(1) and later
securityappliance(config)#crypto isakmp nat-traversal 20
In Cisco VPN Client, choose to Connection Entries and click Modify. It opens a new window where you have to choose the Transporttab. Under this tab, choose Enable Transparent Tunneling and the IPSec over UDP ( NAT / PAT ) radio button. Then click Save and test the connection.
The other option would be to assign a Public NAT pool(or 1-to-1 static NATs) for those users so they would receive unique public IP's.
The settings have been implemented on the ASA and the clients as recommended and this did not solve the problem.
We're still experiencing the issue and 1-1 NAT is not an option. I've got a case open with PA. If we ever get a solution I'll post it here.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!