GlobalProtect Satellite Not Receiving Newly Added Access Route from the Gateway
Symptom
In this scenario a GlobalProtect satellite is successfully connected to a GlobalProtect Gateway as shown below:
As shown above in the 'Route Sharing' column, the GlobalProtect Gateway is advertising the subnet 192.168.94.0/24 to the satellite. A new access route of the subnet 10.66.22.0/23 is added in the GlobalProtect Gateway config to be published to the satellite, as shown below:
However, this newly added access route 10.66.22.0/23 is still not received by the satellite and the gateway information did not change to display 10.66.22.0/23, as shown below:
Environment
- Pan-OS
- GlobalProtect
- GlobalProtect satellite
Resolution
On the GlobalProtect Satellite, go to Network > IPSec Tunnels > GP-Satellite and click on "Gateway Info":
Check the gateway config and click "Refresh GW Config", as shown below to retrieve any changes made on the gateway such as receiving an access route:
The GlobalProtect satellite now has a route to reach the subnet 10.66.22.0/23 behind the GlobalProtect gateway.
By default, the GlobalProtect satellite refreshes the config from gateway for the hours value specified in the GlobalProtect gateway satellite config, as shown below (default is 1 hour and max value is 48 hours):
Note: To refresh the gateway config through the CLI, and to verify the access routes added on the GlobalProtect satellite, use the following CLI commands:
> request global-protect-satellite get-gateway-config gateway-address 10.66.24.94 satellite GP-Satellite
Use the command: > show global-protect-satellite current-gateway gateway 10.66.24.94 satellite GP-Satellite to display the gateway connection status > show global-protect-satellite current-gateway gateway 10.66.24.94 satellite GP-Satellite GlobalProtect Satellite : GP-Satellite (1 gateways) Gateway Info: 10.66.24.94 Get Config State: Refresh Time (seconds) : 7200 Failed Refresh Time (seconds) : 300 Current Get Config : success Max Get Config Retries : 34 Number Get Config Failed : 0 Config Timer Activated : yes Next Get Config Time (seconds) : 6081 Cached Get Config Time (seconds) : 0 Failed Reason Portal Config: GlobalProtect Gateway Name : Gateway-FW-94 GlobalProtect Gateway Address : 10.66.24.94 Priority : 1 Gateway Config: Gateway Tunnel Name : GP-Gateway-S Gateway Tunnel Interface : tunnel.6 Gateway Tunnel id : 9 Gateway Tunnel IP : 7.7.7.1 Gateway Additional Tunnel IPs : Status : Active Status Time : Jan.14 03:12:57 Reason : Established Config Refresh Time (hours) : 2 IP Address : 172.17.1.1 Default Gateway : 7.7.7.1 Netmask : 255.255.255.255 Access Routes : 192.168.94.0/24 : 10.66.22.0/23 Denied Routes : Duplicate Routes : DNS Servers : DNS Suffixes : Tunnel Monitor Enabled : No Tunnel Monitor Interval : 0 seconds Tunnel Monitor Action : wait-recover Tunnel Monitor Threshold : 0 attempts Tunnel Monitor Source : 172.17.1.1 Tunnel Monitor Destination : 7.7.7.1 Tunnel Monitor Status : No data available
Additional Information
See Also
How to Configure GlobalProtect Satellite
Large Scale VPN (LSVPN) Deployment Guide
owner: gchandrasekeran