03-16-2020 08:24 AM
I'm trying to figure out how to get traffic from my internal network to my GP VPN clients. At the moment I can't even ping the remote users. They can access all corporate resources without issue I just can't seem to get any traffic out to them. It seems I have this issue with any tunnel.xx interface. Is there something obvious here that I'm missing?
I'm running an 820 with 8.1.6.
02-19-2021 04:27 PM
Howdy, there really could only be 2 potential reasons..... security policy to allow the traffic and routing table to permit the traffic.
You MUST see traffic in your logs from your inside zone to your globalprotect zone (or whatever)
If you do not see this traffic, then you are not displaying your logs properly, or you are using intrazone policy (without logging) or you are not logging the rule that it would be hitting... once you see this, then you can confirm in your logs, that you see traffic from the inside interface (whatever that would be) destined to the tunnel interface for GP (whatever that is..)
03-16-2020 10:57 AM
You may want to confirm that the virtual pool of addresses that the GP users are getting is an UNKNOWN/un-used range from your internal network. Too often I see customers using a subnet that is internal to the network, and then the L3 switch does not know how to get them to the users. So routing/subnet is one issue.
Let us know how this works.. provide other detials.
03-16-2020 11:10 AM
Hi Steve,
Yes I can confirm that the virtual pool definitely is not used anywhere else in my network. I've also got a static route setup for it same as I do my other networks that terminate on the PA.
03-16-2020 12:35 PM
Every setup is different but for me i just have a policy to allow all from trusted zone to vpn tunnel zone.
03-17-2020 11:09 AM
I have a similar policy that basically allows my entire IT zone to access any on my Global Protect zone. I don't think its a policy issue so much as a routing issue as I can ping the tunnel gateway but not the individual clients that are remoting in.
02-19-2021 04:17 PM
I was wondering if you ever found a solution to this?
02-19-2021 04:27 PM
Howdy, there really could only be 2 potential reasons..... security policy to allow the traffic and routing table to permit the traffic.
You MUST see traffic in your logs from your inside zone to your globalprotect zone (or whatever)
If you do not see this traffic, then you are not displaying your logs properly, or you are using intrazone policy (without logging) or you are not logging the rule that it would be hitting... once you see this, then you can confirm in your logs, that you see traffic from the inside interface (whatever that would be) destined to the tunnel interface for GP (whatever that is..)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
