- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-02-2019 10:26 AM
hello team,
we have this client running his ISP thru E1/3 (secondary ISP service), he wants to allow the Global Protect client thru this conection, however, after configure the portal and gateway in the PA-500, we test in the agent installed and we got the follow logs from the GP Client engine:
(T22764) 09/26/19 19:56:27:735 Debug(4523): No need to check gateway route since no tunnel.
(T22764) 09/26/19 19:56:30:758 Debug(5218): NetworkConnectionMonitorThread: m_state = 0, m_bOnDemand=0, m_bAgentEnabled=1, m_bJustResumed is 1,
m_bHibernate is 0, m_bAgentEnabled is 1, m_bDisconnect is 0, IsConnected() is 0, IsVPNInRetry() is 0.
(T22764) 09/26/19 19:56:30:758 Debug(4523): No need to check gateway route since no tunnel.
(T22764) 09/26/19 19:56:30:758 Debug(5235): NetworkConnectionMonitorThread: Detected route change, but skip network discovery.
(T22764) 09/26/19 19:56:34:723 Debug(5157): NetworkConnectionMonitorThread: route change detected. Wait for 3 seconds.
(T22764) 09/26/19 19:56:34:723 Debug(4523): No need to check gateway route since no tunnel.
(T22764) 09/26/19 19:56:37:725 Debug(5218): NetworkConnectionMonitorThread: m_state = 0, m_bOnDemand=0, m_bAgentEnabled=1, m_bJustResumed is 1,
m_bHibernate is 0, m_bAgentEnabled is 1, m_bDisconnect is 0, IsConnected() is 0, IsVPNInRetry() is 0.
(T22764) 09/26/19 19:56:37:725 Debug(4523): No need to check gateway route since no tunnel.
(T22764) 09/26/19 19:56:37:725 Debug(5235): NetworkConnectionMonitorThread: Detected route change, but skip network discovery.
(T22764) 09/26/19 19:56:40:571 Debug(5157): NetworkConnectionMonitorThread: route change detected. Wait for 3 seconds.
(T22764) 09/26/19 19:56:40:571 Debug(4523): No need to check gateway route since no tunnel.
(T5392) 09/26/19 19:56:42:041 Debug( 301): Received session change, event type 8, session 1
(T22764) 09/26/19 19:56:43:572 Debug(5218): NetworkConnectionMonitorThread: m_state = 0, m_bOnDemand=0, m_bAgentEnabled=1, m_bJustResumed is 1,
m_bHibernate is 0, m_bAgentEnabled is 1, m_bDisconnect is 0, IsConnected() is 0, IsVPNInRetry() is 0.
(T22764) 09/26/19 19:56:43:572 Debug(4523): No need to check gateway route since no tunnel.
(T22764) 09/26/19 19:56:43:572 Debug(5235): NetworkConnectionMonitorThread: Detected route change, but skip network discovery.
(T9888) 09/26/19 19:57:00:241 Info ( 246): HipCheckThread: got check hip event or time out.
(T9888) 09/26/19 19:57:00:241 Debug( 258): HipCheckThread: WAIT_TIMEOUT
(T9888) 09/26/19 19:57:00:241 Debug( 270): HipCheckThread: m_bHipPolicyReady is false, coninue;
(T9888) 09/26/19 19:57:00:241 Debug( 216): HipCheckThread: wait for hip check event for 3600000 ms);
(T22764) 09/26/19 20:08:59:228 Debug(5157): NetworkConnectionMonitorThread: route change detected. Wait for 3 seconds.
(T22764) 09/26/19 20:08:59:228 Debug(4523): No need to check gateway route since no tunnel.
(T22764) 09/26/19 20:09:02:230 Debug(5218): NetworkConnectionMonitorThread: m_state = 0, m_bOnDemand=0, m_bAgentEnabled=1, m_bJustResumed is 1,
m_bHibernate is 0, m_bAgentEnabled is 1, m_bDisconnect is 0, IsConnected() is 0, IsVPNInRetry() is 0.
(T22764) 09/26/19 20:09:02:230 Debug(4523): No need to check gateway route since no tunnel.
(T22764) 09/26/19 20:09:02:230 Debug(5235): NetworkConnectionMonitorThread: Detected route change, but skip network discovery.
(T22764) 09/26/19 20:09:02:373 Debug(5157): NetworkConnectionMonitorThread: route change detected. Wait for 3 seconds.
(T22764) 09/26/19 20:09:02:373 Debug(4523): No need to check gateway route since no tunnel.
in the PA using CLI we validate the conection between E1/3 (PA500) and the e1/4 from rhe RV20 Cisco from ISP and below is the ping results:
@Server-PA> ping source 2xx.1xx.69.44 host 2xx.1xx.69.41
PING 2xx.1xx.69.41 (2xx.1xx.69.41) from 2xx.1xx.69.44 : 56(84) bytes of data.
64 bytes from 2xx.1xx.69.41: icmp_seq=1 ttl=255 time=1.08 ms
64 bytes from 2xx.1xx.69.41: icmp_seq=2 ttl=255 time=0.997 ms
^C
--- 2xx.1xx.69.41 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7069ms
rtt min/avg/max/mdev = 0.997/2.856/15.404/4.743 ms
@Server-PA>
@Server-PA>
@Server-PA>
@Server-PA>
@Server-PA> ping source 2xx.1xx.69.44 host 8.8.4.4
PING 8.8.4.4 (8.8.4.4) from 2xx.1xx.69.44 : 56(84) bytes of data.
^C
--- 8.8.4.4 ping statistics ---
257 packets transmitted, 0 received, 100% packet loss, time 256151ms
@Server-PA>
were the 2xx.1xx.69.41 is the GW router.
ISP provider said "you need to put our DNS servers IP's on the next device (in this case the PA-500) in order to get INternet traffic flow", we haven't tested this option , due the fact that the client has their own DNS servers.
by the way, client also has another IPS at E1/1 which has an specific NAT rule mapped to service 80,443 for their web portal servcies, we also pointed the in first try the GP thru that interface mapped to service :8443, and again Global protect message: Portal Not found.
any ideas how to solve this?
cordially
jose
10-08-2019 07:42 PM
Hello Jose
I am a little confused about some of the extra/unrelated info, and then confused about the configuration.
If this fails
@Server-PA> ping source 2xx.1xx.69.44 host 8.8.4.4
PING 8.8.4.4 (8.8.4.4) from 2xx.1xx.69.44 : 56(84) bytes of data.
257 packets transmitted, 0 received, 100% packet loss, time 256151ms
then it is security policy, PBF, or routing table related.
when you do the pings, do you see the traffic logs (at session end) showing on your FW?
What do they show as the reason traffic is not passing.
if the logs show traffic is allowed, the security policy is ok, but policy based forwarding and/or routing table is not correct.
What happens if yo do a traceroute from the source IP to the 8.8.4.4, and follow the packet to see where/what hops it has.
The second issue that is confusing me, is that you say that eth1/1 has a web portal.... which implies (for me) a GP portal configured to use ether1/1. So you are also trying to get traffic to hit a new portal/gateway on eth1/3? Maybe, maybe not... this is why I am confused.
I think it is better to provide some screen captures of interfaces, NAT policies, and your portal/gateway IPs, so that myself or whomever is assisting, can better assist you. For me, it is not very clear.
thanks
10-09-2019 03:35 PM
hello Steve
no, basically we have a Global Protect client using the E1/3 WAN interface, if I source a ping from the E1/3 I can reach the ISP router , If I sourced the ping from E1/3 to somewhere else in the internet like www.google.com that ping doesn't work.
If i try the GP client from a PC outside of the network, I got the message portal not found, in the debugs in the PA there is not any log that shows the GP client attempt to connect.
-directin
the ISP admin said that the interface have to have their DNS servers configured in order to allow bi-directional traffic, but our client can't change their internal DNS since their web hosting web page.
hope this clarify the issue, btw , yes routing is configured in the FW.
cordially
jose
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!