10-27-2018 07:11 PM
The GlobalProtect Portal/Gateway had been working perfectly until tonight I have restarted the Palo Alto appliance.
After - I was not able to connect. The portal page - ERR_CONNECTION_TIMED_OUT.
I tryied to load older configs, I have even reinstalled the software version (8.0.13). No luck.
I the Session Browser I do not see anything that looks like any traffic to the GP.
It's 3AM and I feel quite helpless...
10-28-2018 07:27 AM
So, the problem has been resolved or... worked around.
We have both GlobalProtect VPN and IPSec VPN running on loopback interfaces.
Both of them do not work after PaloAlto reboot.
It seems that PaloAlto is not refreshing the ARPs on the switch connecting it to the "World".
Solution:
ssh to PaloAlto and:
10-27-2018 09:08 PM
Can you ping the IP of GP from external?
What you see in traffic logs?
10-28-2018 02:49 AM
No, I can't ping it from the Internet.
But I can ping it from the external PaloAlto interface,
In the GUI, in the Traffic log there is nothing.
10-28-2018 07:27 AM
So, the problem has been resolved or... worked around.
We have both GlobalProtect VPN and IPSec VPN running on loopback interfaces.
Both of them do not work after PaloAlto reboot.
It seems that PaloAlto is not refreshing the ARPs on the switch connecting it to the "World".
Solution:
ssh to PaloAlto and:
10-28-2018 07:49 AM
Many Thanks for letting us know.
Great you find the fix and make it working.
Helps other to learn.
10-28-2018 11:00 AM - edited 10-28-2018 12:33 PM
@Filip_Fronczak wrote:test vpn ike-sa gateway IKE_Gateway_Name
This command actually is to create/build/connect IPSec Phase 1 to the specified gateway. The ARP refresh is only a side effect, that could be done also with your first command with the apropriate values.
But your right, this shouldn't be required after a reboot - and in my case also isn't required. I also use loopback interfaces and reboots/failovers work without problems. What PAN-OS version do currently use and what is your setup with the IPs on the loopbacks? Do you use single addresses in the network that is also configured on your physical interface?
10-28-2018 03:03 PM
So does it mean for interstesting traffic to initate which is phase 2 we use the test ipsec instead of ike?
Also arp here was used to build the phase 1 connection?
can we also use arp for phase 2?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
