I've got a user trying to connect to my PA through a Global protect VPN, and the firewall is giving me the following error message
GlobalProtect gateway client configuration failed. User name: <xxxx>, error: Assign private IP address failed.
I know the pool for the configured GP gateway is large enough (/24) for her to be assigned an IP out of it - we don't have *that* many concurrent sessions running through the gateway at once - but I can't figure out why it's not assigning a remote IP.
Can anyone shed any light on what may be causing this?
PanOS 4.1.7, GP client 1.1.6, if it's relevant.
Solved! Go to Solution.
That was my first thought - I'm trying to get a remote user to work through running "ipconfig" and get the results. It promises to be a whole new adventure in troubleshooting pain! :-)
I'll update once (if) I get a result.
I managed to get her to run an "ipconfig".
Her local segment is configured thusly
IP : 10.1.1.4
Router : 10.1.1.1
Mask : 255.0.0.0
Yup, she's got her local router configured to allocate a whole class "A" subnet!
Of course, this overlaps my 10.10.0.0/24 VPN network quite nicely, so I'd guess that's exactly why it's failing.
Thanks for confirming what I thought was the problem.
I've just encountered this problem as well. Is there a way to fix this issue? Apart from changing IP pool for all users or asking remote user to change hotel :smileyhappy:
I've just encountered this problem as well. Is there a way to fix this issue? Apart from changing IP pool for all users or asking remote user to change hotel
If the network used by the remote end (hotel) overlaps with either the subnet used for your VPN, or one of the networks you split-tunnel to VPN clients, then Global Protect is unable to create the "virtual" interface used for the VPN, and will fail.
The only thing I can suggest is that you change your VPN range to something "out of the ordinary" - I would recommend something like 172.29.131.0/24, for example - the chances of a Hotel using *that* for its guest WiFi are pretty slim.
I recommend adding several ranges to satisfy these conditions. The IP ranges are attempted in a top-down order, so for the IP pool you might set:
Explore more options, and you should find a solution that works for the majority of your clients. Each range is added to the firewall's routing table so there is nothing you need to add to the Virtual Router to get it to work correctly. Give that a shot, and you should be in good shape.
Hope this helps!
There is a way, but I found it after posting ofc :smileyhappy:
As long as you set 2 segments, which can't overlap, you won't have any problems.
Recently published 6.0.2 has huge list of fixes, I don't know is Your problem on this list but i could help You in this and other problem. 6.0.0 isn't a good version IMHO.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!