GlobalProtect stopped to work after appliance reboot

Reply
L2 Linker

GlobalProtect stopped to work after appliance reboot

The GlobalProtect Portal/Gateway had been working perfectly until tonight I have restarted the Palo Alto appliance.

After - I was not able to connect. The portal page - ERR_CONNECTION_TIMED_OUT.

 

I tryied to load older configs, I have even reinstalled the software version (8.0.13). No luck.

 

I the Session Browser I do not see anything that looks like any traffic to the GP.

 

It's 3AM and I feel quite helpless...

 

L4 Transporter

Re: GlobalProtect stopped to work after appliance reboot

Can you ping the IP of GP from external?

What you see in traffic logs?

L2 Linker

Re: GlobalProtect stopped to work after appliance reboot

No, I can't ping it from the Internet.

But I can ping it from the external PaloAlto interface,

In the GUI, in the Traffic log there is nothing.

Highlighted
L2 Linker

Re: GlobalProtect stopped to work after appliance reboot

So, the problem has been resolved or... worked around.

We have both GlobalProtect VPN and IPSec VPN running on loopback interfaces.

Both of them do not work after PaloAlto reboot.

It seems that PaloAlto is not refreshing the ARPs on the switch connecting it to the "World".

 

Solution:

ssh to PaloAlto and:

 

test arp gratuitous ip loopbak_IP interface ethernet1/3
test vpn ike-sa gateway IKE_Gateway_Name
 
The first command refreshes the GlobalProtect ARP, the second - the IPSec ARP.
Seems like a bug to me... I don't think we should do this every time we restart the appliance...
 
 
L4 Transporter

Re: GlobalProtect stopped to work after appliance reboot

Many Thanks for letting us know.

Great you find the fix and make it working.

 

Helps other to learn.

L7 Applicator

Re: GlobalProtect stopped to work after appliance reboot


@Filip_Fronczak wrote:

test vpn ike-sa gateway IKE_Gateway_Name


This command actually is to create/build/connect IPSec Phase 1 to the specified gateway. The ARP refresh is only a side effect, that could be done also with your first command with the apropriate values.

 

But your right, this shouldn't be required after a reboot - and in my case also isn't required. I also use loopback interfaces and reboots/failovers work without problems. What PAN-OS version do currently use and what is your setup with the IPs on the loopbacks? Do you use single addresses in the network that is also configured on your physical interface?

L4 Transporter

Re: GlobalProtect stopped to work after appliance reboot

So does it mean for interstesting traffic to initate  which is phase 2 we use the  test ipsec  instead of ike?

Also arp here was used to build the phase 1 connection?

can we also use arp for phase 2?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!