GlobalProtect - Windows agent not allowing internal access, but iPhone built-in does?

cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect - Windows agent not allowing internal access, but iPhone built-in does?

Not applicable

PAN version 5.0.4, GP client version 1.2.2. 

GlobalProtect is set up with a loopback address on both the portal and gateway, and they share a 3rd party cert.  I can access the portal, and download the client on a Windows machine.  I need to get this up and running as it's replacing my current VPN solution, and this has to be working before I roll over to the PA-500 in production overall.

The trouble I'm having is:

  • If I configure my iPhone with the built-in VPN client, I can connect to the GlobalProtect portal, and can ping an internal LAN server as well as a PC that resides on another subnet in the LAN.  I can use an RDP app and get to the desktop of the internal LAN server.
  • If I install the GP client on my Windows 8 Laptop, it "connects" to the portal.  However, I cannot ping an internal LAN server, the other subnet PC, the internal DNS servers set in the Gateway settings...nothing.

If I do "ipconfig", the PAN Virtual Ethernet Adapter does not have a default gateway listed.

I then tried installing the Windows client on my Windows 7 desktop at home, and the same thing happens.  No access to internal resources.  No default gateway listed on the adapter.

If the iPhone can access the internal network, what's wrong with the Windows machines or the GlobalProtect agent/client deployed to them that they aren't connecting?  Should there be a default gateway listed on the PAN Virtual Ethernet Adapter?

2 REPLIES 2

L5 Sessionator

Please follow this doc https://live.paloaltonetworks.com/docs/DOC-4917 and collect the logs, once done please look at routeprint.txt and also the PANGPS file to see if there is anything wrong.

Well, I thought I wasn't able to connect to internals with the Windows laptop, but it appears I can.  I only have those two machines internally (the server and the other subnet PC) currently setup to use the PA-500, and the rest run through my current production firewall/router.  When pinging on the iPhone, I pinged those two fine, and RDP'ed fine.  When going on the Windows laptop, I initially tried pinging the internal DNS server, and it didn't work (and it shouldn't since it's not running through the PA-500), and I couldn't remote into the server (because I was remoting by hostname rather than IP, and that hostname wasn't resolving due to no connection to DNS server).  Once I pinged the internal LAN server and other subnet PC (I thought I had, but didn't), it worked.  I then was able to remote into the server by it's IP address.

I simply just confused myself with everything I'm setting up!  Thanks for the suggestion though.  I think I'm going to delete this thread due to ignorance :smileyhappy:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!