We enabled a week ago the feature enforce network access on our environment.
We are using internal host resolution to detect if user is inside or outside corporate network.
In a random way, we're experiencing issue with users worldwide. We have a dns server at each location
This issue seems to be present only when the user is connected from inside (wifi and wired)
Let me give you a quick overview :
User is connected to wifi or wired.
The client is not detecting as "internal" the network and then it enforces network policy to prevent access if your vpn is not mounted.
We cannot establish vpn from inside network to external gateway (by design and it would not acceptable)
At this time, even if the client is connected to inside, all flow are blocked (due to enforcement, I see it in pangps log) because the tunnel is not established and client not detecting network as internal.
The client has an ip, can successfuly resolve the ptr record that we use in internal check detection but for unknown reason, the issue is still there.
Any clue would be appreciated.
Assuming that you aren't using On-Demand as your connection method correct?
The first few things that I would look at is if the reverse DNS lookup is succeeding in the PanGPS logs, whether the internal host detection hostname matches exactly what has been configured, and if ICMP is allowed to that host.
Thank for your reply.
The fqdn/ip configured is exactly the same as what we've configured centrally.
This is not a global issue as not all users are impacted. It's happening at any time, I haven't find the trigger yet but keep analyzing at this time.
May I ask you why the icmp fact is important ? I thought the process was only relying on dns resolution.
Note : We're running GP 220.127.116.11
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!