We're in the process of labbing out and testing a pair of 5020s running PanOS 4.1. We've configured GlobalProtect per the TechNote guide, and other than one issue where we had to add a static route pointing the VPN address space at the VPN tunnel interface, we've been able to successfully VPN in using GlobalProtect (with some caveats, mentioned below). We're using OnDemand mode for testing, because that mirrors the VPN solution we have in place now.
On both Windows and Mac OS X, coaxing the GlobalProtect client to connect seems at a bare minimum to be 'flaky.' In the testing I've done over the weekend, on OS X it seems as though the client successfully establishes a VPN connection (I can even ssh to devices across the VPN), but the little GlobalProtect GUI icon isn't made aware of this fact. This problem sees to manifest itself in Windows as well - the tunnel establishes, but the client isn't told that the GP virtual adapter has come up.
See the screenshot for details - on OS X, the client is stuck in "Connecting..." mode, but the VPN tunnel is definitely up (I can ssh to devices in our lab!), but the client is essentially "stuck" - I can't disconnect or reconnect, all buttons are greyed out. I can go into Terminal.app and kill the GlobalProtect related processes and restart the client (or on the Windows side, restart the PanGPS service), but that's not palatable for our VPN users. We're going to end up with constant support calls with people complaining "this new VPN thing isn't working."
On the 5020s we're running the latest stable PanOS (4.1.something - can't remember what the latest stable update is off the top of my head) and on the client side, GlobalProtect 1.1.4-8. Right now I'm on Mac OS X 10.6.8 (my home laptop), but the problem seems to be reproducible in Windows 7 as well.
This is what the client currently looks like:
I'm clearly connected to the VPN - the terminal window below this screenshot of GlobalProtect's 'Details' tab is a switch that's behind the VPN that I am ssh'ing into
There had been some issues in the past regarding GP Clients but many issue(s) have been resolved in the version of GP client that you are currently running.
Could you please confirm the version of PAN OS you be running?
When you look at the ipconfig (in Windows) or the adapter on the Mac, do you find the correct IP address has been assigned, even if the GP client itself does not show you anything right now?
Here's an example of the exact same scenario as I described in my first post, this time on Windows 7:
(Disconnect does nothing, so the client is essentially "stuck." Only a stop and restart of the PANGPS service fixes this situation, which is unacceptable for us (our users aren't local admins, and this would generate support calls out the wazoo)
This is on a pair of Palo Alto 5020s running PanOS 4.1.6 and GlobalProtect 1.1.4-8
Hello \you may have to open a case with the Support team to allow them to take a look at this. Such issues had been addressed in later versions of PAN OS
Do you also have Single Sign on enabled, perhaps? Please ensure that you have only On Demand OR Single Sign On enabled - not both.
In all the testing I've done, I've made sure that I've only had OnDemand turned on.... SSO is not turned on.
We experience the same behavior here on our side. We're also testing GP VPN solution and at this time it doesn't look like a solution worth the money...
Our OS is on version 4.1.6 and we're using the latest available GP client (v1.1.5-5). The client OS is Win7 64bit.
The main issues we have:
- the GUI is not up to date (when connected it still shows the "Connecting..." for a couple of seconds
- Sometimes the client doesn't receive an IP address from the PA DHCP server. I guess this sometimes happens then the discovery process takes too long... The VPN is connected in the end but no traffic is going through as the PANgp Virtual Network Adapter has an APIPA IP address...
- When we double click on the desktop icon created after setup ("GlobalProtect") nothing happens. At least the GP GUI should be opened in my opinion.
The 2nd issue (GP client doesn't receive an IP address) seems to be solved for us now. I think you need to make sure that only one of the two options is selected in the portal config: select EITHER "On demand" OR "Use single sign-on", not both...
The other two issues are still open. But for the desktop icon we now added a "del %ALLUSERSPROFILE%\Desktop\GlobalProtect.lnk" for WinXP and a "del %PUBLIC%\Desktop\GlobalProtect.lnk" for Win7 clients to the installation script :-)
Yes, i have ono demand selected only, but when trying to connect with GP client nothing hapens. On other customers i have os 4.0 with netconnect and this works great.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!