Microsoft always on VPN (Windows 10 clients) through Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Microsoft always on VPN (Windows 10 clients) through Palo Alto

L1 Bithead

Hi All,

We have several Windows 10 clients (3rd Party but using our infrastructure) that need to transit through our PA-3260 to their home network via MS always on vpn. Unfortunately this does not work, we have a very open "any-any" rule in place for these but still they wont connect.

Does anybody have any pointers on how to get this to work ?.

 

Regards

Scott

 

3 REPLIES 3

L6 Presenter

You to do more troubleshooting as it could be many things split tunneling making the destination sites/domains/applications not going through the VPN, having security zones for the VPN tunnel but using the normal zones not the VPN ones to allow the traffic etc.:

 

 

Create Interfaces and Zones for GlobalProtect (paloaltonetworks.com)

 

Split Tunnel Traffic on GlobalProtect Gateways (paloaltonetworks.com)

 

Optimized Split Tunneling for GlobalProtect (paloaltonetworks.com)

 

 

 

Also you may check that the globalprotect agent is ok by using the PanGPS, PanGPA logs and the globalprotect logs from the Palo Alto Firewall web gui (for RDP VDI traffic to enter the vpn tunnel an option should be enabled on the globalprotect portal config):

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRlCAK

 

GlobalProtect Logs (paloaltonetworks.com)

 

LIVEcommunity - Knowledge sharing: Globalprotect troubleshooting/investgation. Split tunnel,Globalpr...

 

 

 

Also if nothing helps check for drops:

 

LIVEcommunity - Knowledge sharing: Palo Alto checking for drops (rejects ,discards), slowness (laten...

 

L1 Bithead

Hi - This has nothing to do with Global Protect, The Windows machines are using Microsoft's built "Always On" vpn transiting through the Palo out to the internet to Microsoft vpn server.

They are going from Trust To Untrust via an any any rule with no security profile, they can get to normal internet services but never connect to their vpn server, however if we bypass the Palo they connect fine.

 

Now I see the full picture and maybe use the IPSEC app in your rule or make separate one as Palo Alto has articles for IPSEC passthrough traffic and by using the Palo alto IPSEC app the session will have specific settings.

 

 

 

Configuring the Palo Alto Networks Device as an IPSec Passthrou... - Knowledge Base - Palo Alto Netw...

 

Processing IPSec pass-through traffic on the Palo Alto Networks... - Knowledge Base - Palo Alto Netw...

 

 

 

 

 

Also check your NAT policy on the Palo Alto if it changes the traffic source, destination as this could affect the Tunnel and if you still have issues check with packet capture, global counters and policy trace(policy trace the security policy to confirm that you are hitting the correct rule or the NAT policy to see that you are not applying NAT) if palo alto is blocking the VPN traffic or dropping as if for example the the VPN headers may add some extra bits and fragmentation to be needed but the do not fragment bit to be set or other stuff like that.

 

LIVEcommunity - Knowledge sharing: Palo Alto checking for drops (rejects ,discards), slowness (laten...

 

 

If you need to NAT the traffic on the palo alto firewall you need to enable nat traversal on the enpoints and see:

 

 

LIVEcommunity - IPSEC Pass Through - LIVEcommunity - 48948 (paloaltonetworks.com) 

 

 

 

Edit:

 

 

Also you did not mention if it is site to site ipsec or remote VPN connection where also SSL VPN could be used and then you need to check if the firewall allows the correct ssl traffic on the correct port and maybe without trying to NAT or decrypt it.

  • 5420 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!