Global protect error message

Reply
L4 Transporter

Global protect error message

Hi.

I've got a user trying to connect to my PA through a Global protect VPN, and the firewall is giving me the following error message

GlobalProtect gateway client configuration failed. User name: <xxxx>, error: Assign private IP address failed.

I know the pool for the configured GP gateway is large enough (/24) for her to be assigned an IP out of it - we don't have *that* many concurrent sessions running through the gateway at once - but I can't figure out why it's not assigning a remote IP.

Can anyone shed any light on what may be causing this?

PanOS 4.1.7, GP client 1.1.6, if it's relevant.

Thanks.

Tags (1)
Highlighted
L4 Transporter

Re: Global protect error message

Darren,

Is the Ip-pools assigned to the Global protect gateway overlapping the Local LAN?

If that is the case, It is recommended to have ip-pool as a completely different subnet that the Local LAN -trust network.

Regards

L4 Transporter

Re: Global protect error message

Thanks.

That was my first thought - I'm trying to get a remote user to work through running "ipconfig" and get the results. It promises to be a whole new adventure in troubleshooting pain! :-)

I'll update once (if) I get a result.

L4 Transporter

Re: Global protect error message

Oh My.

I managed to get her to run an "ipconfig".

Her local segment is configured thusly

IP : 10.1.1.4

Router : 10.1.1.1

Mask : 255.0.0.0

Yup, she's got her local router configured to allocate a whole class "A" subnet!

Of course, this overlaps my 10.10.0.0/24 VPN network quite nicely, so I'd guess that's exactly why it's failing.

Thanks for confirming what I thought was the problem.

L5 Sessionator

Re: Global protect error message

I've just encountered this problem as well. Is there a way to fix this issue?  Apart from changing IP pool for all users or asking remote user to change hotel :smileyhappy:

L4 Transporter

Re: Global protect error message

santonic wrote:

I've just encountered this problem as well. Is there a way to fix this issue?  Apart from changing IP pool for all users or asking remote user to change hotel

Unfortunately not.

If the network used by the remote end (hotel) overlaps with either the subnet used for your VPN, or one of the networks you split-tunnel to VPN clients, then Global Protect is unable to create the "virtual" interface used for the VPN, and will fail.

The only thing I can suggest is that you change your VPN range to something "out of the ordinary" - I would recommend something like 172.29.131.0/24, for example - the chances of a Hotel using *that* for its guest WiFi are pretty slim.

L7 Applicator

Re: Global protect error message

I recommend adding several ranges to satisfy these conditions. The IP ranges are attempted in a top-down order, so for the IP pool you might set:

10.125.15.0/24

172.20.120.0/24

192.168.200.0/24

Explore more options, and you should find a solution that works for the majority of your clients. Each range is added to the firewall's routing table so there is nothing you need to add to the Virtual Router to get it to work correctly. Give that a shot, and you should be in good shape.

Hope this helps!

Greg Wesson

L5 Sessionator

Re: Global protect error message

There is a way, but I found it after posting ofc :smileyhappy:

How can IP Overlaps be Prevented with GlobalProtect

As long as you set 2 segments, which can't overlap, you won't have any problems.

L3 Networker

Re: Global protect error message

I created 2 pools (10.0.0/24 and 172.30.0/24), but it starts to ignore first one! Always assign from second one

Ver 6.0.0

Any ideas?

Thank you!

L4 Transporter

Re: Global protect error message

Recently published 6.0.2 has huge list of fixes, I don't know is Your problem on this list but i could help You in this and other problem. 6.0.0 isn't a good version IMHO.

Regards

SLawek

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!