Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-30-2014 11:35 AM
Me, again. Linux/Unix guy, drafted to be the Windows / Network guy when that fellow left.
Our network reseller setup the device. I'm trying to dope this stuff out a) because their time is valuable and we're minding our dollars and b) I really need to _know_ this stuff.
My next feat is to get some of the Windows 8 peecees in the office connected through the VPN to login to the domain controller in the (remote) data center.
VPN login using Local User Database works fine: turn on the Global Protect client, and we can remote login (RDP, ssh) any resource in the data center. Great!
I've got a domain controller, and the beginnings of a nice little Active Directory setup: lookin' okay there, too.
Edit the DNS so the device is looking at my Domain Controller.
Go to Device - User Identification . User Mapping - Edit User ID Agent Setup
Fill in a valid service user in the domain, with the right groups.
Go to Server Monitoring - hit Discover: nothing.
Click Add, give it the information - status is
I think 'that's funny' and shell into the host.
admin@<redacted host> ping host 209.59.31.137
PING 209.59.31.137 (209.59.31.137) 56(84) bytes of data.
From 10.220.0.127 icmp_seq=2 Destination Host Unreachable
And I don't even know where 10.220.0.127 came from. I get that when I (try) to ping Google ...
admin@<redacted host> ping host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.220.0.127 icmp_seq=1 Destination Host Unreachable
From 10.220.0.127 icmp_seq=2 Destination Host Unreachable
I _guess_ I've got a routing issue? All I want to be able to do is login, man, and get this thing up and running with Active Directory.
I _feel_ like I don't even know where to begin.
09-30-2014 01:23 PM
Hi Bdunbar,
You can route user-id traffic through dataplane. You need to configure service route. Refer following document.
Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI
Regards,
Hardik Shah
09-30-2014 11:41 AM
could you share output after typing configure
# show deviceconfig system
09-30-2014 11:53 AM
Hi bdunbar
10.220.0.127 should be the IP that does not have that route to the destination 209.59.31.137 that is why it is replying with ICMP destination unreachable. This is either your default gateway in management interface settings (Device > Setup > Management ) or some device in between the path to the destination.
We will wait for you to attach the above output requested.
Thanks
09-30-2014 01:00 PM
output ..
admin@tn-gateway-01# show deviceconfig system
system {
ip-address 10.220.0.127;
netmask 255.255.255.0;
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
daily {
at 01:30;
action download-and-install;
}
}
}
wildfire {
recurring {
every-hour {
at 20;
action download-and-install;
}
}
}
global-protect-datafile {
recurring {
weekly {
action download-and-install;
at 03:00;
day-of-week sunday;
}
}
}
anti-virus {
recurring {
daily {
at 00:30;
action download-and-install;
}
}
}
}
timezone US/Central;
service {
disable-telnet yes;
disable-http yes;
}
hostname tn-gateway-01;
default-gateway 10.220.0.1;
dns-setting {
servers {
primary 209.59.29.221;
}
}
route {
service {
dns {
source {
address 209.59.31.140/29;
interface vlan.10;
}
}
email {
source {
address 209.59.31.140/29;
interface vlan.10;
}
}
ntp {
source {
address 209.59.31.140/29;
interface vlan.10;
}
}
paloalto-updates {
source {
address 209.59.31.140/29;
interface vlan.10;
}
}
url-updates {
source {
address 209.59.31.140/29;
interface vlan.10;
}
}
wildfire {
source {
address 209.59.31.140/29;
interface vlan.10;
}
}
}
}
ntp-server-1 209.118.204.201;
domain corp.cicayda.com;
login-banner "Who knocks on my castle door? ";
}
[edit]
admin@tn-gateway-01#
09-30-2014 01:05 PM
Hi Bdundbar,
IP address and default gateway looks good, in that case I think firewall is not learning ARP entry for default gateway.
Can you ping default gateway or does firewall learn ARP entry for default gateway.
Regards,
Hardik Shah
09-30-2014 01:17 PM
"Can you ping default gateway"
Nope.
admin@tn-gateway-01> ping host 10.220.0.1
PING 10.220.0.1 (10.220.0.1) 56(84) bytes of data.
From 10.220.0.127 icmp_seq=3 Destination Host Unreachable
From 10.220.0.127 icmp_seq=4 Destination Host Unreachable
From 10.220.0.127 icmp_seq=5 Destination Host Unreachable
From 10.220.0.127 icmp_seq=6 Destination Host Unreachable
^C
--- 10.220.0.1 ping statistics ---
7 packets transmitted, 0 received, +4 errors, 100% packet loss, time 6023ms
, pipe 3
"or does firewall learn ARP entry for default gateway."
You lost me. Sorry: I don't know where to find a value like that? If it helps .. my arp table ..
admin@tn-gateway-01> show arp all
maximum of entries supported : 500
default timeout: 1800 seconds
total ARP entries in table : 14
total ARP entries shown : 14
status: s - static, c - complete, e - expiring, i - incomplete
interface ip address hw address port status ttl
--------------------------------------------------------------------------------
ethernet1/4 209.59.29.194 00:25:90:d1:e9:36 ethernet1/4 c 315
ethernet1/4 209.59.29.195 00:25:90:af:44:44 ethernet1/4 c 744
ethernet1/4 209.59.29.196 00:25:90:d1:ea:88 ethernet1/4 c 999
ethernet1/4 209.59.29.199 00:25:90:d1:e9:07 ethernet1/4 c 756
ethernet1/4 209.59.29.201 a0:36:9f:1d:fe:8c ethernet1/4 c 849
ethernet1/4 209.59.29.203 00:0c:29:f7:8b:ba ethernet1/4 c 547
ethernet1/4 209.59.29.210 a0:36:9f:21:96:f0 ethernet1/4 c 1722
ethernet1/4 209.59.29.221 00:0c:29:ab:17:b0 ethernet1/4 c 1788
ethernet1/4 209.59.29.222 00:0c:29:75:a7:f9 ethernet1/4 c 1423
ethernet1/4 209.59.29.224 00:0c:29:ff:4f:54 ethernet1/4 c 1799
ethernet1/4 209.59.29.254 54:e0:32:f3:2d:81 ethernet1/4 c 1659
vlan.10 209.59.31.137 00:00:0c:07:ac:0d ethernet1/1 c 1221
vlan.10 209.59.31.138 84:78:ac:55:d1:c1 ethernet1/1 c 1669
vlan.10 209.59.31.139 d8:67:d9:0f:05:41 ethernet1/2 c 1669
Which causes me to realize a thing, that may or may not be relevant.
I was having a time getting the hypervisors to talk on the vlan set aside for the 'private' 10.x.x.x network, so put my first round of hosts in the 209.59.29.193/26 network, hanging off ethernet 1/4. After this deployment is done, I said, I'd go back and figure out what the problem is.
09-30-2014 01:21 PM
used many service route configuration probably management interface has no access to internet and AD either.You may change Active Directory access interface.
Go to Device/Setup/Services/Service Route Configuration Choose destination as AD ip address and choose your LAN interface and IP.(which can access to AD)
09-30-2014 01:22 PM
Hi Bdunbar,
Command to view management interface arp is " show arp management". In this case I am very positive firewall is not learning ARP for default gateway. Hence everything is unreachable just from management interface.
Regards,
Hardik SHah
09-30-2014 01:23 PM
Hi Bdunbar,
You can route user-id traffic through dataplane. You need to configure service route. Refer following document.
Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI
Regards,
Hardik Shah
09-30-2014 02:52 PM
That did it, thank you very much.
09-30-2014 02:52 PM
That was the trick - thank you very much.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
