This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Issue With GlobalProtect VPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Issue With GlobalProtect VPN

Go to solution
Farzana
L4 Transporter

‎08-15-2016 10:08 PM

Hi,

 

Can someone please point me at the right direction?

 

2 PA-500 devices are in active-passive configuration. When connected via global connect, getting IP address in the correct range but cannot reach any internal address and trace route does not proceed beyond the first hop of the gateway on the Firewall.

 

However, from a PC behind the firewall on the network, we can ping the GlobalProtect PC connected over the internet.

 

Thanks in advance

Farzana

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Farzana
L4 Transporter

‎08-23-2016 04:13 PM

Hello All,

 

Thank you for taking your time out and replying. I had to log a support call for this and TAC engineer solved the issue.

 

From the Traffic monitor logs, we ran show session id. It showed the session was using pbf rule: No_PBF_rule which had 'Enforce Symmetric Return' ticked. Once it was disabled, issue was fixed.

 

Thanks

Farzana

View solution in original post

0 Likes Likes
9 REPLIES 9

Go to solution
reaper
Cyber Elite
Cyber Elite

‎08-16-2016 02:37 AM

Hi Farzana

 

are you seeing any packets being blocked in the traffic log? Did you make sure to create a security policy that will allow sessions from the GP gateway zone (the zone attached to the interface the GP clients connect to) to the trusted zone?

 

in the GP gateway settings, did you happen to set an access route? if so, can you verify the subnet is accurate ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
Farzana
L4 Transporter
In response to reaper

‎08-16-2016 05:03 PM

Hello Reaper,

 

Thank you for taking your time out and replying.

In the traffic log, I can see packets sent=packets received...only season end reason showing aged-out.

Security policy is allowed from LAN (interface tunnel1) to LAN (interface Eth1/4).

GP gateway settings has access route setup.

 

Configs | User/User group | OS | IP pool |                         Access Route

--------    -------------------    ---    --------                            ----------------

Default        Any                    Any  10.20.30.0/24             192.168.1.0/24

                                                                                              192.168.2.0/24

                                                                                              192.168.10.0/24

                                                                                              192.168.100.0/24

                                                                                              192.168.101.0/24

0 Likes Likes

Go to solution
Farzana
L4 Transporter
In response to Farzana

‎08-16-2016 09:00 PM

routingtable.jpgforwardingtable.jpg

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to Farzana

‎08-17-2016 02:29 AM

Hi Farzana

 

session end reason aged-out means the session came to a natural end, which means it went as expected

 

did you create a security policy from LAN to LAN zone ? (i would recommend changing the zone of the GP tunnel interface so you have more control over what goes in and out of the tunnel)

Due to both interfaces being in the same zone, you may be missing some logs

 

did you make sure the GP Client Network settings contain the appropriate access routes to reach all of your subnets (or is left empty for a 0.0.0.0/0 default route into the tunnel)

2016-08-17_11-27-50.jpg

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
KotreshaMC
L3 Networker
In response to reaper

‎08-17-2016 05:50 AM

Hi Reaper,

 

i don't think aged-out is the naturall way of seeion end,

  • Aged out - Occurs when a session closes due to aging out 

I'm sorry if i'm worng,

Kotresha
ACE
0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to KotreshaMC

‎08-17-2016 06:21 AM

hi

 

you are right! i wanted to argue that the session end would be 'unknown' but aged-out works just as well for a half open session

 

so please disregard that comment until you have verified the bytes sent and bytes received 

if both are populated with plenty of bytes, the aged-out simply means both sides stopped sending packets without forcibly terminating the session by FIN or RST, if you see bytes sent but none received, there is likely a problem with returning packets (routing, NAT, ...)

 

sorry for the confusion

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
aceandy79
L2 Linker
In response to reaper

‎08-23-2016 01:12 AM

Was going to say something similar. Does your internal network have a route for 10.20.30.0/24 for the returning packets?

0 Likes Likes

Go to solution
Farzana
L4 Transporter

‎08-23-2016 04:13 PM

Hello All,

 

Thank you for taking your time out and replying. I had to log a support call for this and TAC engineer solved the issue.

 

From the Traffic monitor logs, we ran show session id. It showed the session was using pbf rule: No_PBF_rule which had 'Enforce Symmetric Return' ticked. Once it was disabled, issue was fixed.

 

Thanks

Farzana

0 Likes Likes

Go to solution
pulukas
L7 Applicator
In response to Farzana

‎08-27-2016 05:22 AM

This is a fine temporary solution.  But this solution is showing you that the previous comments about asymmetrical routing in your network here are correct.

 

The best permanent solution is to identify how to get the return traffic from these internal hosts to use the same path that the outbound traffic from the vpn hosts are using to reach those hosts.  As noted above this is likely a missing route somewhere.

 

Or it could be the need to create a routed link into the internal zone instead of connecting multiple routers to the same subnet.

 

PA firewalls can best protect against threats only when they see the full flow of the traffic both inbound and outbound in a symetrical routing setup.  This is why the default behavior is the block asymmetrical flows to help you see that this path is not optimal and can allow some threats to go undetected.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 5734 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks