11-13-2016 08:27 PM
Hello,
GlobalProtect GW with x-auth is enabled for IPsec VPN client services. However, only one concurrent session per user is allowed and any subsequent sessions disconnects the previous session user. Same issue happens whether the user is a local account or an AD account. We need to have multiple sessions running with the same user account.
Any idea how to fix this?
Thanks in advance.
11-14-2016 01:58 AM
Hi Farzana
GlobalProtect allows multiple concurrent logins from the same username.
do you possibly have a UserID agent (client/clientless) set to probing and included the IP range of the globalprotect clients ? it's possible the UserID agent is timing out the user mappings with probes, since GlobalProtect will allow concurrent sessions
11-21-2016 08:08 PM
Hello Reaper,
Thank you for your suggestion. No probing is enabled in the User ID Agent Setup. Tried adding an exception for the subnet used by VPN clients but the issue still occurred.
Using Cisco VPN ver 5.0.07.0290. Below log output shows Line 11 everything working OK, from line 12 is when another VPN client connects with the same username:
Looking forward to your response.
11-21-2016 08:44 PM
In system logs we are getting:
| ike-nego-p2-proxy-id-bad | IKE phase-2 negotiation failed when processing proxy ID. received ID for remote-side type (IPv4_address_range) is not supported. |
| ike-nego-p2-start | IKE phase-2 negotiation is started as responder |
| ike-nego-p2-proxy-id-bad | IKE phase-2 negotiation failed when processing proxy ID. received ID for remote-side type (IPv4_address_range) is not supported. |
| ike-nego-p2-start | IKE phase-2 negotiation is started as responder |
11-22-2016 12:23 AM
kind of looks like there's a configuration issue, proxy IDs are network subnet objects exchanged between 2 vpn peers to determine which local IP addresses are being used
you may want to review which IP pool is being used for GP clients and if that subnet is routed elsewhere in the organization also
would you be able to share configuration snapshots without revealing too much sensitive info ?
11-22-2016 12:56 AM
Hi Reaper,
Thank you for your speedy reply. The config in place is the same as the link below except that the portal is on a different port and a private IP, Nat’d behind the Palo’s outside interface because another device is using port 443. But that shouldn’t matter as that is only the portal web page, not the VPN traffic gateway.
Not using GP client...just IPsec/Cisco remote VPN.
https://www.paloaltonetworks.com/documentation/Videos/gp-qc1-video.html
11-22-2016 01:11 AM
hm
have you tried using GlobalProtect ? 😉
i'm not sure about the implications when using a 3rd party vpn client
11-22-2016 07:18 AM
@reaper Please help...My Galaxy S7 isn't working with iOS10. lol
11-22-2016 10:29 AM
A few things about this setup:
1) If you are forming the IPSec connection through the Palo Alto Firewall just use GlobalProtect and setup the SSL VPN.
2) Don't use an unsupported Cisco client that has known security issues that will NEVER be fixed.
3) GP is a free product and way more servicable than IPSec connections. IPSec is great for Tunnels, but not to actively use on client devices trying to connect back to the office. You should really be moving away from IPSec as a whole.
11-22-2016 01:55 PM
Hi Brandon,
I understand what you are trying to say...The thing is if client wants only Cisco VPN for their users then being an ASC we don't have much of a say rather suggest to try using Global Protect Client.
I try to use this forum to get suggestions as PA being a fairly new product (compared to other vendors) not enough forums out there for many scenarios.
This kind of tongue-in-cheek humor puts me off to ask questions here 🙂
Cheers
Farzana
11-22-2016 02:06 PM
@Farzana Pretty sure PA was the first purpose built application aware FW.
The platform has been around for sometime. You "hid the lead" I'm having this problem...Oh by the way I'm trying to smash to unique/competiive vendor products and it's not working.
It's tounge and cheek because it's funny.
It's good to know if senarios like this work and/or if they fail and under what circumstances of each, but come on...You gotta be a little more thick skinned than that.
Not to mention as an IT professional if you aren't going back to your client and telling them the solution they're trying to implement isn't how this should be done you're not doing right by your customer.
11-22-2016 02:37 PM
Yes you are right Brandon.
Client uses IPSec because they connect to many client environments so it is non-trivial for them to implement GlobalProtect.
I will check if certificate was applied properly.
The first user can connect to VPN easily but when another user logs in then he gets kicked out.
11-23-2016 05:47 AM
@Farzana Sometimes we get a little out of hand 🙂
I would just point out to the client that the legacy Cisco VPN is no longer supported and does not work properly with anything greater than Windows 7. Even if you do the legwork to get this to function it isn't a supported function; you also run into the issue of security when using a VPN client that is no longer being updated for known security holes.
11-23-2016 05:50 AM
plus, concurrent users work 100% guaranteed with GlobalProtect 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
