We are facing GlobalProtect issue when we migrate from PA-3020 to PA-460. All the Configuration has been replicated. Users are able to connect to the Global Protect without any issues. Also users are able to connect to the local network without any issues. But when they connect to other sites which involves routing they are facing issues.
I dont see any routes missing and VR has been attached to the tunnel interface, compared the old firewall config and dont see any difference at all. When checked the logs i can see the traffic is leaving the firewall. I migrated around 4 sites i never faced this issue before but this firewall has this issue. Not really sure i am missing anything at all. Any thoughts on this? Or any specific troubleshooting steps you suggest, i mean any specific logs you suggest me to capture?
Hi @Sanjay_Ramaiah ,
PA-3020 latest supported version is 9.1, while PA-460 support only 10.1 and above.
Based on this first first shot in the dark would be possible miss-configuration during firewall config migration.
How did you perform PA-460 config preparation? Did you manually configure PA-460 while looking at the old PA-3020? Have you used any tool or Panorama?
I don't expect the problem to be specific for PA-460 device, but I would first start troubleshooting the network configuration. It is really hard to troubleshoot without knowing details for your environment. You can start with:
- Does your GP user IP pool used on PA-460 exactly the same as it was on PA-3020? If it is different, can you confirm it is routed and allowed everywhere the same ways the old GP pool on PA-3020
- Are you using GP full tunnel or split tunnel? If you are using split tunnel, do you see route for the problematic network on client machine when connected to GP?
- If you run traceroute from GP client to the problematic destination where is the last hop? Try to run traceroute from FW using GP tunnel interface as source, does it follow the same path as the one from GP client? What about if you run traceroute from FW, but using the inside interface as source, any difference with the other two?
Also check the logs and make sure the traffic is being forwarded out the correct interface. Then check the other side and check the same thing. I agree with @Astardzhiev that something probably didnt copy over correctly. I have seen this in the past as well. Just triple check everything and if everything looks correct, try a reboot.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!