GlobalProtect stopped to work after appliance reboot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect stopped to work after appliance reboot

L2 Linker

The GlobalProtect Portal/Gateway had been working perfectly until tonight I have restarted the Palo Alto appliance.

After - I was not able to connect. The portal page - ERR_CONNECTION_TIMED_OUT.

 

I tryied to load older configs, I have even reinstalled the software version (8.0.13). No luck.

 

I the Session Browser I do not see anything that looks like any traffic to the GP.

 

It's 3AM and I feel quite helpless...

 

1 accepted solution

Accepted Solutions

L2 Linker

So, the problem has been resolved or... worked around.

We have both GlobalProtect VPN and IPSec VPN running on loopback interfaces.

Both of them do not work after PaloAlto reboot.

It seems that PaloAlto is not refreshing the ARPs on the switch connecting it to the "World".

 

Solution:

ssh to PaloAlto and:

 

test arp gratuitous ip loopbak_IP interface ethernet1/3
test vpn ike-sa gateway IKE_Gateway_Name
 
The first command refreshes the GlobalProtect ARP, the second - the IPSec ARP.
Seems like a bug to me... I don't think we should do this every time we restart the appliance...
 
 

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Can you ping the IP of GP from external?

What you see in traffic logs?

MP

Help the community: Like helpful comments and mark solutions.

No, I can't ping it from the Internet.

But I can ping it from the external PaloAlto interface,

In the GUI, in the Traffic log there is nothing.

L2 Linker

So, the problem has been resolved or... worked around.

We have both GlobalProtect VPN and IPSec VPN running on loopback interfaces.

Both of them do not work after PaloAlto reboot.

It seems that PaloAlto is not refreshing the ARPs on the switch connecting it to the "World".

 

Solution:

ssh to PaloAlto and:

 

test arp gratuitous ip loopbak_IP interface ethernet1/3
test vpn ike-sa gateway IKE_Gateway_Name
 
The first command refreshes the GlobalProtect ARP, the second - the IPSec ARP.
Seems like a bug to me... I don't think we should do this every time we restart the appliance...
 
 

Many Thanks for letting us know.

Great you find the fix and make it working.

 

Helps other to learn.

MP

Help the community: Like helpful comments and mark solutions.


@Filip_Fronczak wrote:

test vpn ike-sa gateway IKE_Gateway_Name


This command actually is to create/build/connect IPSec Phase 1 to the specified gateway. The ARP refresh is only a side effect, that could be done also with your first command with the apropriate values.

 

But your right, this shouldn't be required after a reboot - and in my case also isn't required. I also use loopback interfaces and reboots/failovers work without problems. What PAN-OS version do currently use and what is your setup with the IPs on the loopbacks? Do you use single addresses in the network that is also configured on your physical interface?

So does it mean for interstesting traffic to initate  which is phase 2 we use the  test ipsec  instead of ike?

Also arp here was used to build the phase 1 connection?

can we also use arp for phase 2?

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 8187 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!