We have a PA3050 head-end with a satellite PA220 at a remote site. The PAs have been configured for LSVPN and the connection attempt occurs, but does not complete.
The satellite connects to the portal on the head end and the satellite configuration is generated.
The satellite offers its certificate and the head-end validates it successfully.
The satellite attempts to connect to the gateway but then fails. The error in logs is:
"GlobalProtect Satellite connection to portal failed. Satellite failed to connect to Portal x.x.x.x due to "connection failed"."
What I am trying to determine is the full reason for the "connection failed". Why did it fail? I cannot find this exact error anywhere in PaloAlto land, only references to similar errors involving certificates. Is there somewhere else I can find more info on the reasons for this error to be generated? I suspect it has to do with the satellite's inability to validate the headend cert, but it would be nice to know for sure.
There is one thing that may be playing into the situation:
- There is currently an IPSec tunnel and IKE gateway defined for the remote satellite's external IP address. This remote IP is the same one we are trying to bring up on the LSVPN (so we are essentially migrating from standatd IPSec VPN to LSVPN). I am disabling the IPSec tunnel and IKE gateway prior to the attempts to connect via LSVPN, but I'm wondering if the IKE gateway config is somehow linking the external IP address of the satellite to the IKE configuration, which of course doesn't match those of the LSVPN and so I'm wondering if the headend is getting confused about where this satellite is trying to connect. Should I totally delete the IPSec tunnel and IKE gateway for this change or should that not be necessary?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!