GRE traffic being dropped by PAN

Reply
L4 Transporter

GRE traffic being dropped by PAN

Hello,

 

An internal host is attempting to establish PPTP tunnel connection with an outside Internet host. The internal host accesses the Internet over NAT (actually PAT) on firewall's outside IP address. There was no issue with PPTP (TCP 1723) connection, but GRE (IP 47) packets from the remote host could not reach the internal host. Packet capture on the firewall shows GRE packets got dropped on "drop" stage, and cannot be seen on "transmit" or "firewall" stage captures.

 

On some firewalls there is a feature known as PPTP inspection, where the PPTP traffic will be inspected by the firewall, and based on the PPTP session info, incoming GRE traffic will be NATed and forwarded to the correct internal host. May I know if such feature is available on PAN firewall (software 6.1.6), or is there actually alternate configuration to achieve the same result?

 

Thanks in advance.

Highlighted
L4 Transporter

Re: GRE traffic being dropped by PAN

Hi,

 

I have tested this on 7.1 and 8.0. It works. Not exactly sure since then is this supported but in these versions firewall will open predict session for GRE traffic.

 

Best Regards

L4 Transporter

Re: GRE traffic being dropped by PAN

Thank you for the confirmation. Closing the loop by mentioning that we set up 1-to-1 NAT and that solved the issue.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!