- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-23-2021 09:38 PM
Hey Community:
I am in the process of rolling out GlobalProtect, but until I do, i have to continue to use a pfSense OpenVPN that was already in place before the Palo was deployed.
The problem I am running into when i connect to the pfSense VPN i cannot browse to a web server that sits on server 192.168.130.221. I can ping the host just appears that no TCP communications is allowed. I have also checked my policies and nothing in my findings is blocking it.
Setup:
PA-220; 192.168.130.1 <--------------------------->192.168.130.249: pfSense VPN Appliance, VPN clients are assigned an IP address from pool 10.31.253.0/25 network.
I can ping from a 10.31.253.x to the web host 192.168.130.221but I cannot browse to the website it is hosting, keep getting a timeout error. I also ran a packet capture and I can see that my web browse attempt is making it to the web server but the return traffic is getting dropped and I see resets.This same thing is happening to another web site that sits behind 192.168.31.224. Can ping it just not access it.
06-23-2021 10:51 PM - edited 06-24-2021 12:55 AM
Looks like asymmetric routing issue. Pfsense will see server local and go direct, server will see traffic from 10 address which is not local so will send to def gateway palo... palo prob drop cos never got a session start. Icmp works different so nobody really cares about sessions... you could nat 10 traffic to a 192 address, then server will reply back to pfs interface...
or add a static route on the server to 10.31.253.0/24 via GW 192.168.130.249.
i would prefer the NAT option as you may have several servers and will need to remove when PFS appliance is removed.
06-23-2021 10:16 PM
Hmm not sure of your exact setup... what is the servers default gateway, if its the palo then do you have static route to the 10.x network via the other appliance... prob not much help but perhaps a sketch/doodle may help...
06-23-2021 10:29 PM
Thanks for your reply. The web server's gateway is the palo's IP of 192.168.130.1. Yes there is a route on the appliance to the 10.x.
To note, this all worked with the previous setup with a Meraki MX gateway which we replaced with the Palo. Again, i can ping all of these servers from the 10.x network so routing is working just fine, it has to be something at another level.
06-23-2021 10:51 PM - edited 06-24-2021 12:55 AM
Looks like asymmetric routing issue. Pfsense will see server local and go direct, server will see traffic from 10 address which is not local so will send to def gateway palo... palo prob drop cos never got a session start. Icmp works different so nobody really cares about sessions... you could nat 10 traffic to a 192 address, then server will reply back to pfs interface...
or add a static route on the server to 10.31.253.0/24 via GW 192.168.130.249.
i would prefer the NAT option as you may have several servers and will need to remove when PFS appliance is removed.
06-24-2021 05:27 AM - edited 06-24-2021 05:27 AM
Thanks for your help. Your comment put me on the right path even though I did not use the solution you provided. The issue was with asymmetric routing and i confirmed this by doing a packet cap on the Palo and could see return traffic getting dropped.
What I ended up doing was applying a Zone Protection Profile to the LAN Zone that permitted Asymmetric routing. Once we have moved completely over to GlobalProtect, i will remove the ZPP from the LAN zone. Again, thank you for your help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!