Can't get traffic to GP VPN clients

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Can't get traffic to GP VPN clients

L1 Bithead

I'm trying to figure out how to get traffic from my internal network to my GP VPN clients. At the moment I can't even ping the remote users. They can access all corporate resources without issue I just can't seem to get any traffic out to them. It seems I have this issue with any tunnel.xx interface. Is there something obvious here that I'm missing?

 

I'm running an 820 with 8.1.6.

1 accepted solution

Accepted Solutions

Howdy, there really could only be 2 potential reasons.....  security policy to allow the traffic and routing table to permit the traffic.

 

You MUST see traffic in your logs from your inside zone to your globalprotect zone (or whatever)

If you do not see this traffic, then you are not displaying your logs properly, or you are using intrazone policy (without logging) or you are not logging the rule that it would be hitting... once you see this, then you can confirm in your logs, that you see traffic from the inside interface (whatever that would be) destined to the tunnel interface for GP (whatever that is..)

Help the community: Like helpful comments and mark solutions

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

You may want to confirm that the virtual pool of addresses that the GP users are getting is an UNKNOWN/un-used range from your internal network.  Too often I see customers using a subnet that is internal to the network, and then the L3 switch does not know how to get them to the users.   So routing/subnet is one issue.

 

Let us know how this works.. provide other detials.

 

 

Help the community: Like helpful comments and mark solutions

Hi Steve,

 

Yes I can confirm that the virtual pool definitely is not used anywhere else in my network. I've also got a static route setup for it same as I do my other networks that terminate on the PA.

L7 Applicator

Every setup is different but for me i just have a policy to allow all from trusted zone to vpn tunnel zone.

 

 

I have a similar policy that basically allows my entire IT zone to access any on my Global Protect zone. I don't think its a policy issue so much as a routing issue as I can ping the tunnel gateway but not the individual clients that are remoting in.

I was wondering if you ever found a solution to this?

Howdy, there really could only be 2 potential reasons.....  security policy to allow the traffic and routing table to permit the traffic.

 

You MUST see traffic in your logs from your inside zone to your globalprotect zone (or whatever)

If you do not see this traffic, then you are not displaying your logs properly, or you are using intrazone policy (without logging) or you are not logging the rule that it would be hitting... once you see this, then you can confirm in your logs, that you see traffic from the inside interface (whatever that would be) destined to the tunnel interface for GP (whatever that is..)

Help the community: Like helpful comments and mark solutions
  • 1 accepted solution
  • 6890 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!