PANOS-8.0 broke IPSec XAuth VPN?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PANOS-8.0 broke IPSec XAuth VPN?

L2 Linker

Hi,

 

After I upgraded to our PA-3050 to PANOS-8.0, ios and android native clients (using ipsec xauth) don't work anymore. These clients can  authenticate successfuly and get a valid IP from the gateway ip pool. But after this they can't access anything. There is no traffic logs shown with the vpn ip either.

 

Anybody using 8.0 can test if ipsec xauth is functional to see if its 8.0 upgrade or something else is wrong with my setup.

 

Thanks,

 

Rahman

20 REPLIES 20

L2 Linker

Updating to 8.0 has a huge amount of risks for any production environment. The code is brand new and I would only recommend it in lab devices. It you updated and it broke things, you'll have to report it to support and let them know that is broke something. This kind of thing will most likely go on until 8.0.6.

 

 

- Peter

L6 Presenter

Hi

 

we have the same issue

 

Regards

 

 

 

Can anybody test if 8.0.1 fixed the issue?

 

Thanks,

 

Rahman

L0 Member

Has anyone managed to solve this problem?

@JoaoCesar,

I would harbor a guess that you will need to update to 8.0.2 if this is fixed in the 8.0 code yet. 

L6 Presenter

Some phone models connects and receives an IP-Pool IP but it cannot reach the internal resources.


Motorola Moto Z Android 7 -> problem
Motorola Moto G3 Android 6 -> probelm
Motorola Moto Maxx Android 6 - > problem
Lenovo Vibe K6 Android 6 -> problem

Samsung Galaxy S7 Android 7 -> OK
Samsung Galaxy S4 Android 5.1 -> OK
Iphone 4 iOS 7 -> OK

Test with PAN-OS 8.0.2 and 8.0.3.


Hi,

 

ls there a useful info in the ikemgr.log file:

 

> tail lines 100 mp-log ikemgr.log

 

Did you try to re-create a VPN profile on the affected client mobile phones?

I have same issue like this, I tried  Huawei P9 andriod 7.0, SAMSUNG S7edge 7.0  sometime work , some time not. PAN-OS 8.0.4,7.1.11,7.0.12  same issue.

L3 Networker

Hi Guys, 

 

We observed this for some users. Seems to be a recurrance of a previous bug. 

 

Double check the auth type is 'Any' not 'any' for the portal config. 

 

If using loopbacks for the portal can be an issue at previously , tested on 8.0.5 on pa-220 just now and connects fine with a loopback. 

 

Screen Shot 2017-10-21 at 20.28.49.png

 

in the config double check the auth type has capital 'A'. 

 

<global-protect-portal>
<entry name="external">
<portal-config>
<local-address>
<ip>
<ipv4>10.10.24.1</ipv4>
</ip>
<interface>loopback.1</interface>
</local-address>
<client-auth>
<entry name="local">
<os>Any</os>
<authentication-profile>local</authentication-profile>
<authentication-message>Enter login credentials</authentication-message>
</entry>
</client-auth>
<ssl-tls-service-profile>brookfieldlab</ssl-tls-service-profile>
</portal-config>
<client-config>
<configs>
<entry name="configGP">
<gateways>
<external>
<list>

 

added edit ; 

 

double check the gateway config has a capital A as well.. 🙂 

 

> configure
# set global-protect global-protect-gateway <gateway_name> client-auth <client_auth_name> os Any 
# commit 

 

 

best regards, 

 

Rob 

Hi,

 

This problem is not related to old bug that you mention. I have capital A in the portal/gateway configs and still has the issue.

 

 global-protect-portal {
GP-Portal {
portal-config {
ssl-tls-service-profile web-gui-ssl-profile;
client-auth {
"Local&LDAP for Admins" {
os Any;
authentication-profile auth-sequence-gp;
authentication-message "Enter login credentials";
}
}

 

# show global-protect global-protect-gateway GP-EXT-XAuth-RSA
GP-EXT-XAuth-RSA {
roles {
default {
login-lifetime {
days 30;
}
inactivity-logout {
hours 3;
}
disconnect-on-idle {
minutes 180;
}
}
}
client-auth {
admins&standard-users {
authentication-profile auth-sequence-gp;
os Any;
authentication-message "Enter login credentials";
}
}

 

With 8.0.5:

-stock/stock like android 6.0 devices connect to VPN but no traffic passes, all traffic timeout on client side and there is no indication on PANOS logs that client traffic hits PANOS.

 

-Samsung android 7 devices connects to VPN but none of the traffic routed through VPN.

 

-LineageOS android 7 device works as expected.

 

Regards,

 

Rahman

Hi,

 

we have a case for this issue.TAC found the issue.

Fixed release is not known yet.

 

https://bugs.libreswan.org/show_bug.cgi?id=251

 

Regards

 

Hi

 

we have the same issue

 

Regards

 

L4 Transporter

@RahmanDuran

Is this only phone access on native client or also for pc's native access?

  • 8339 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!