10-11-2012 03:39 PM
Hi.
I've got a user trying to connect to my PA through a Global protect VPN, and the firewall is giving me the following error message
GlobalProtect gateway client configuration failed. User name: <xxxx>, error: Assign private IP address failed.
I know the pool for the configured GP gateway is large enough (/24) for her to be assigned an IP out of it - we don't have *that* many concurrent sessions running through the gateway at once - but I can't figure out why it's not assigning a remote IP.
Can anyone shed any light on what may be causing this?
PanOS 4.1.7, GP client 1.1.6, if it's relevant.
Thanks.
10-11-2012 03:43 PM
Darren,
Is the Ip-pools assigned to the Global protect gateway overlapping the Local LAN?
If that is the case, It is recommended to have ip-pool as a completely different subnet that the Local LAN -trust network.
Regards
10-11-2012 03:43 PM
Darren,
Is the Ip-pools assigned to the Global protect gateway overlapping the Local LAN?
If that is the case, It is recommended to have ip-pool as a completely different subnet that the Local LAN -trust network.
Regards
10-11-2012 03:46 PM
Thanks.
That was my first thought - I'm trying to get a remote user to work through running "ipconfig" and get the results. It promises to be a whole new adventure in troubleshooting pain! 🙂
I'll update once (if) I get a result.
10-11-2012 03:55 PM
Oh My.
I managed to get her to run an "ipconfig".
Her local segment is configured thusly
IP : 10.1.1.4
Router : 10.1.1.1
Mask : 255.0.0.0
Yup, she's got her local router configured to allocate a whole class "A" subnet!
Of course, this overlaps my 10.10.0.0/24 VPN network quite nicely, so I'd guess that's exactly why it's failing.
Thanks for confirming what I thought was the problem.
09-23-2013 04:06 AM
I've just encountered this problem as well. Is there a way to fix this issue? Apart from changing IP pool for all users or asking remote user to change hotel 
09-23-2013 03:41 PM
santonic wrote:
I've just encountered this problem as well. Is there a way to fix this issue? Apart from changing IP pool for all users or asking remote user to change hotel
Unfortunately not.
If the network used by the remote end (hotel) overlaps with either the subnet used for your VPN, or one of the networks you split-tunnel to VPN clients, then Global Protect is unable to create the "virtual" interface used for the VPN, and will fail.
The only thing I can suggest is that you change your VPN range to something "out of the ordinary" - I would recommend something like 172.29.131.0/24, for example - the chances of a Hotel using *that* for its guest WiFi are pretty slim.
09-23-2013 03:56 PM
I recommend adding several ranges to satisfy these conditions. The IP ranges are attempted in a top-down order, so for the IP pool you might set:
10.125.15.0/24
172.20.120.0/24
192.168.200.0/24
Explore more options, and you should find a solution that works for the majority of your clients. Each range is added to the firewall's routing table so there is nothing you need to add to the Virtual Router to get it to work correctly. Give that a shot, and you should be in good shape.
Hope this helps!
Greg Wesson
09-24-2013 01:22 AM
There is a way, but I found it after posting ofc
How can IP Overlaps be Prevented with GlobalProtect
As long as you set 2 segments, which can't overlap, you won't have any problems.
04-25-2014 07:49 AM
I created 2 pools (10.0.0/24 and 172.30.0/24), but it starts to ignore first one! Always assign from second one
Ver 6.0.0
Any ideas?
Thank you!
04-26-2014 12:35 AM
Recently published 6.0.2 has huge list of fixes, I don't know is Your problem on this list but i could help You in this and other problem. 6.0.0 isn't a good version IMHO.
Regards
SLawek
04-26-2014 12:42 AM
Did you try to change their order and see if release changes or not ?
04-28-2014 07:05 AM
Yes, i used different laptops and tried to change the order. Always assigned from 172.30.0/24
04-28-2014 07:06 AM
today i will upgrade the OS to 6.0.2
we'll see
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
