Global protect error message

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global protect error message

L4 Transporter

Hi.

I've got a user trying to connect to my PA through a Global protect VPN, and the firewall is giving me the following error message

GlobalProtect gateway client configuration failed. User name: <xxxx>, error: Assign private IP address failed.

I know the pool for the configured GP gateway is large enough (/24) for her to be assigned an IP out of it - we don't have *that* many concurrent sessions running through the gateway at once - but I can't figure out why it's not assigning a remote IP.

Can anyone shed any light on what may be causing this?

PanOS 4.1.7, GP client 1.1.6, if it's relevant.

Thanks.

1 accepted solution

Accepted Solutions

L4 Transporter

Darren,

Is the Ip-pools assigned to the Global protect gateway overlapping the Local LAN?

If that is the case, It is recommended to have ip-pool as a completely different subnet that the Local LAN -trust network.

Regards

View solution in original post

12 REPLIES 12

L4 Transporter

Darren,

Is the Ip-pools assigned to the Global protect gateway overlapping the Local LAN?

If that is the case, It is recommended to have ip-pool as a completely different subnet that the Local LAN -trust network.

Regards

Thanks.

That was my first thought - I'm trying to get a remote user to work through running "ipconfig" and get the results. It promises to be a whole new adventure in troubleshooting pain! 🙂

I'll update once (if) I get a result.

Oh My.

I managed to get her to run an "ipconfig".

Her local segment is configured thusly

IP : 10.1.1.4

Router : 10.1.1.1

Mask : 255.0.0.0

Yup, she's got her local router configured to allocate a whole class "A" subnet!

Of course, this overlaps my 10.10.0.0/24 VPN network quite nicely, so I'd guess that's exactly why it's failing.

Thanks for confirming what I thought was the problem.

I've just encountered this problem as well. Is there a way to fix this issue?  Apart from changing IP pool for all users or asking remote user to change hotel Smiley Happy

santonic wrote:

I've just encountered this problem as well. Is there a way to fix this issue?  Apart from changing IP pool for all users or asking remote user to change hotel

Unfortunately not.

If the network used by the remote end (hotel) overlaps with either the subnet used for your VPN, or one of the networks you split-tunnel to VPN clients, then Global Protect is unable to create the "virtual" interface used for the VPN, and will fail.

The only thing I can suggest is that you change your VPN range to something "out of the ordinary" - I would recommend something like 172.29.131.0/24, for example - the chances of a Hotel using *that* for its guest WiFi are pretty slim.

I recommend adding several ranges to satisfy these conditions. The IP ranges are attempted in a top-down order, so for the IP pool you might set:

10.125.15.0/24

172.20.120.0/24

192.168.200.0/24

Explore more options, and you should find a solution that works for the majority of your clients. Each range is added to the firewall's routing table so there is nothing you need to add to the Virtual Router to get it to work correctly. Give that a shot, and you should be in good shape.

Hope this helps!

Greg Wesson

There is a way, but I found it after posting ofc Smiley Happy

How can IP Overlaps be Prevented with GlobalProtect

As long as you set 2 segments, which can't overlap, you won't have any problems.

I created 2 pools (10.0.0/24 and 172.30.0/24), but it starts to ignore first one! Always assign from second one

Ver 6.0.0

Any ideas?

Thank you!

Recently published 6.0.2 has huge list of fixes, I don't know is Your problem on this list but i could help You in this and other problem. 6.0.0 isn't a good version IMHO.

Regards

SLawek

Did you try to change their order and see if release changes or not ?

Yes, i used different laptops and tried to change the order. Always assigned from 172.30.0/24

today i will upgrade the OS to 6.0.2

we'll see

  • 1 accepted solution
  • 7854 Views
  • 12 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!