This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cisco IPSEC VPN client connecting to PAN 4.1

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cisco IPSEC VPN client connecting to PAN 4.1

robclav
Not applicable

‎12-20-2011 12:41 PM

Hi folks,

there were no way to establish a ipsec connection between a Cisco VPN client and PAN. I was "inspired" by the globalprotect guide but wasn't enought.

  • At the cisco vpn client side, I had configured just the ip address, the group and pwd, and nat-t.
  • At the PAN side, I had configured the globalprotect portal, the gateway(using the third-party option for cisco vpn client), and the ike gateway.

I had a computer at the same subnet than the "outside" interface who has the portal and the gateway published. So I checked the option to be able to connect even to the local lan when the vpn is up.

BUT, the main issue is that there's no trace for the ipsec traffic at the Paloalto. I'm not able to see the dropped traffic at PAN or any kind of answer at the cisco vpn client.

Could you help me to find the way to get connected? Thank you guys,

RobClav

By the way, I should to use the Cisco client in order to avoid a massive client migration at xmas time.

Labels:
0 Likes Likes
7 REPLIES 7

robclav
Not applicable

‎12-27-2011 09:00 AM

I found a Bug related to the 4.1 version. So I go througt a downgrade to 4.0.7.

Hth,

RobClav

0 Likes Likes

jonathan_delannoye
Not applicable
In response to robclav

‎08-17-2012 01:16 AM

Hello,

On 4.1.7 is working for me.

0 Likes Likes

jonathan_delannoye
Not applicable

‎10-04-2012 05:33 AM

I can be connected but the client has been disconnected 1 hour later.

I opened a case and the client is not support by Palo Alto Networks.

There is an IKE exchange and the client does not support it so you will be disconnected.

0 Likes Likes

nisse
Not applicable

‎12-20-2012 01:00 AM

Jonathan, did you ever resolv this?

As far as I can see, the problem arises when there is a rekey for the IPSEC tunnel.

I use aggressive mode where the Cisco ISR is always initiator since it has a dynamic IP adress via DHCP.

In the debugs on the Cisco I get the feeling that it is an issue with ISAKMP.

It does 5 retries ar rekeying then takes down the tunnel interface and sets it up again.

0 Likes Likes

jonathan_delannoye
Not applicable
In response to nisse

‎01-02-2013 11:28 PM

Finally, i installed GlobalProtect for my customer because there is no issue.

The official support told me that the PAN firewall does not support the rekey with the Cisco client

nisse
Not applicable

‎01-07-2013 04:11 AM

I see.

I missunderstood.

Thought the problem was with a site to site VPN.

Regards, Nils

0 Likes Likes

PierreJvR
L1 Bithead
In response to jonathan_delannoye

‎02-22-2013 02:50 PM

I'm having the same issue with the connection being dropped when trying to establish a new IPSEC SA or IKE rekey.

Unfortunately I can't use GlobalProtect because it plays havoc with our OTP 2-factor authentication. This happens with different clients: ShrewSoft VPN, built-in OS X and from what users tell me the iOS client too.

Very frustrating!

0 Likes Likes
  • 6001 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks