GP Internal Host Detection not Working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GP Internal Host Detection not Working

L2 Linker

To start off...

 

I have already read this.

https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-not-Detecting-Internal-Networ...

 

I'll start off with the whole story. We have 2 ISP's, setup to our PA-500's using 2 VR's. One was setup for the DMZ Zone, with it's default out ISP 1. The Second VR was users internet, with the deafult route out ISP 2.

 

Initially GP was set up on ISP 1. Thus when users attempted to connect their sesssion would be NATed out ISP 2 back into ISP 1, with internal host detection working a treat and showed the little house on the GP sys tray icon.

 

My goal was to move all my services over to ISP 2. Turns out I couldn't just copy the existing NAT rules since the DMZ default route was out ISP 1, and any connection attempts would fail to due an incomplete hand shake. Welcome Symmetric Return!

 

So I got all my services to work with either external IP association. I then go to move our VPN to the shaw side using both proper DNS lookup for the portal/gateway and our own internal PKI. I fought tooth n nail and got the internal PKI setup workign just the way I want it to. Externally wokring a treat, so I attempt to connect internally, to my dismay I couldn't reach the external portal from inside the network. Checking my monitor Tab on the PA's I see no blocked traffic, I now it was getting droped somewhere in the PA, so i do a packet capture. Low and behold, my packets are geting dropped.

 

After talking to my uber smart network engineer, we had two options (NoNAT to my ISP 2 pub IP, or do a UTurn NAT to my ISP pub IP)

 

After making this config, I could ping and access the web portal no prob! YAY!

 

And finally to the point of this post, everything works now except internal host detection. and it's driving me up the wall, everything I read on it and how I know my configs are it should just work at this point. But it keeps connecting my client to the VPN DHCP pool and saying its connected and I can see the traffic on teh client system. Even though it's internally connected, (I can ping and resolve the internal host detection stuff from the client system perfectly fine)

 

to make it even weirder, When I change my portal IP to the ISP 1, internal host dtecttion works a treat
change it back to ISP 2, and interanal host detection fails.

 

same internal host detection settings on both portal/user configs, same internal network.

 

Thoughts? I'm bashing my head on this one...

1 accepted solution

Accepted Solutions

Make sure that the connection method configured in the portal is "user-logon" and not on-demand.

 

regards,

Gerardo.

View solution in original post

7 REPLIES 7

L4 Transporter

Hi Zewwy,

 

What does the PanGP Services log say? Look for a line that contains "DnsQuery returns " and the lines right before and after it.

 

Benjamin

Hey,

 

Thanks for the reply. I did the following.

 

I cleared the PanGPS.log file. I connected via the ISP 1 portal, and sure enough I get DNSQuery response 0

As it should be. I clear the log by renaming it.

 

I change my portal address on my GlobalProtect, connects sayign externally. I then check the PANGPS.log and I don't find a single DnsQuery line in the log at all, as if it's not even trying to do internal host detection.

 

Thoughts?

Make sure that the connection method configured in the portal is "user-logon" and not on-demand.

 

regards,

Gerardo.

Hey Gerardo,

 

Thanks so much for the suggestion. I was working with a PAN tech on the case (tier one) so had to argue about a couple things he wasn't understanding about the device, haha. 

 

We tried you answer on my own account by me changing my AD user membership, and then re-newing the PAN's user mappings, and then I found I had to create a new profile (I'm sure possibly a uninstall, or even a registry edit could have resolved it but I didn't know exactly what to look for so I simply re-created my profile) before it would change from on-demnd mode to user-logon. I asked the tech for any documentation that would state why this is.

 

I can understand as since it's on-Demand that the user wouldn't normally connect internally, but then whats the point of teh internal host detection being available for edit when the type is set to on-demand. Seems like a UI bug or something that was merely overlooked and was just never thought of and conisdered as-is.

 

Thanks for your answer.

 

One last thing I noticed when I was testing and that was that the user cert I install on users system that goes into their personal certificate store of the user, when I created a new user an AD and logged into that user on a system I had installed the cert for another user, taht cert is already in the new users certificate store... I found this baffeling. The other weird part is when I removed my profile to fix the on-demand problem I noticed it removed my certificate from the store, more along the lines to be expected with a profile wipe.

I'm having a similar issue, I am try to enable internal host detection. But the GP client keeps trying to contact our external gateway and failing with "invalid gateway", so it never gets to the internal detection.

 

I'm not sure how to U-turn NAT it, because the GP gateway doesn't have internal IP address.

Make sure for the host name that you are using the FQDN (ie test.mydomain.com and not just test).

Hi,

 

Can someone confirm if on-Demand and "Internal Host Detection" will work? I have my configuration set to on-demand and have "enforce GlobalProtect for Network Access". I need a way to disable this when user is on the inernal network. I cannot go down the path of user-logon as the client is using OTP for VPN so SSO wont work

 

 

Thanks

  • 1 accepted solution
  • 11534 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!