global protect remote vpn unable to reach internal network?

Reply
Highlighted
L2 Linker

global protect remote vpn unable to reach internal network?

im having big problem , after my remote vpn connects i cannot reach my internal network even though my core switch is directly connected to palo alto , i checked i set the access range for the vpn for 0.0.0.0/0 and i set a security rule from vpn zone to inside zone , also i can ping the inside interface on the firewall itself but not the directly connected core switch , when i check the traffic under monitor it all shows "aged out" , i even set a ip route to the vpn ip pool pointing to the inside of the firewall but with no use , im at a lose here


Accepted Solutions
Highlighted
L4 Transporter

@chuckles: The GlobalProtect gateway is related to the vpn tunnel interface and so are the routes for the client ip pools.

You can do a traceroute from the switch (or a client behind the switch) to a vpn client and vice versa.

Then you got a clue, where the packets are misrouted.

 

You will have a transfer network between PA and your coreswitch - the transfernet address of the PA is the next hop for the VPN network from router view.

Do you use different virtual routers in your PA?

Best Regards
Chacko

View solution in original post


All Replies
Highlighted
Cyber Elite

Hello,

Its a routing issue from the sounds of it. In the switch make sure it has a route to the PAN regarding the VPN subnet. Also in the PAN make sure you have routes for the VPN subnet as well.

 

Regards,

Highlighted
L2 Linker

the switch can reach the inside interface of the PAN as the inside network can reach the internet , but i dont understand how do i make route in the pan for the vpn subnet? like the vpn ip pool have no interface? do you mean like give the tunnel interface an ip address in the same vpn ip pool addresses and set a static route for the vpn ip pool through the tunnel ip address? 

Highlighted
L4 Transporter

@chuckles: The GlobalProtect gateway is related to the vpn tunnel interface and so are the routes for the client ip pools.

You can do a traceroute from the switch (or a client behind the switch) to a vpn client and vice versa.

Then you got a clue, where the packets are misrouted.

 

You will have a transfer network between PA and your coreswitch - the transfernet address of the PA is the next hop for the VPN network from router view.

Do you use different virtual routers in your PA?

Best Regards
Chacko

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!