GlobalProtect traffic not returning through the same interface.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect traffic not returning through the same interface.

L2 Linker


On our firewall our main internet connection is coming in through a via a virtual wire connection that sits between our physical router and our core switch. In addition to this we have a cable modem attached directly to the firewall via L3, which we use for routing outbound guest wifi traffic and to use for our globalprotect portal / gateway.

With assistance from PA tech support the portal is up and the globalprotect agent on a test laptop can connect successfully to the firewall via the cable modem interface. The problem is that return traffic isn't being routed back through the vpn tunnel, but is instead being sent out via the path to the default gateway.

Unfortunately due to the virtual wire deployment, I am unable to set up a "Policy Based Forwarding" policy to route the traffic destined for the GlobalProtect subnet back through the proper interface.

Is there anyway I can solve this using static routing, or am I forced to set up the main internet connection as L3?

I have a work ticket open on this issue but I thought I would seek guidance and wisdom here as well.


L3 Networker

Can you list your ticket number? I would like to look into it.  Based on your description, it sounds like the internet connection will need to be L3, but I'd like to look over all the info.




Personally I hope that isn't the last option because that isn't an option for us right now. Can I just NAT the traffic going from the trust side of the virtual wire and force it back to the GP vpn tunnel?

Aditi who is working with you seems to be on the right track.

The real problem is determining why your switch stack is sending the GP traffic over the vwire, despite that it came in the l3 interface.  This might come down to the default route you are using the GP client config.  You might need to set the GP Default GW to the PA if it is not already.  If it is, you have something downstream sending traffic out the vwire which we are not expecting.



Hmm, so the traffic is going from the proper egress on the firewall to our lan, but is returning via the virtual wire instead of the L3 interface where it was supposed to go. Instead it's bypassing the firewall and going to our default gateway for the lan, which would be a physical router.

L2 Linker

This is still an issue and has not seen any progress. May last work ticket summed with the problem being on the cisco side of things. I don't know if I can solve this with Policy Based Forwarding or not. If I try that, what IP do I forward the traffic to? Do I set it to management IP address of the originating Ethernet port, or do I assign an ip address to the tunnel and forward to that?

Is traffic from L3 interface of PAN going to the cisco. If it is then you might want to try two things and see if that helps.

1. Do not send traffic from PAN to cisco

2. If above is not an option then setup a static route for the traffic coming back for the itnerface on the PAN so the routing can be correct and then it will not go through the Vwire.

Let us know if this helps.



  • 6 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!