This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Multi-VSYS, Shared Gateway, IPSec and GlobalProtect, GP return traffic blackholed.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Multi-VSYS, Shared Gateway, IPSec and GlobalProtect, GP return traffic blackholed.

adrianchung
L0 Member

‎10-30-2015 07:48 PM

I'm troubleshooting a configuration that consists of a Palo Alto 3020 with multiple virtual systems enabled.

 

Currently configured are:

  • shared gateway vsys
  • one main vsys
  • IPSec site-to-site tunnels terminating on SG interface/zone/vsys
  • GlobalProtect gateway

Internet traffic to the main vsys works, as does regular site-to-site IPSec traffic, which terminates in the SG vsys, but happily routes using the default virtual router to any subnets reachable within the vrouter.

 

For GlobalProtect, because it needs to terminate on an interface/IP within the vsys, and can't be in the SG, I created a loopback interface in the untrust zone within the main vsys, and also a tunnel interface in the trust zone (for simplicity) within the main vsys.

 

I created a NAT rule in the SG vsys that destination NATs a second public IP address to the loopback IP within the vsys for UDP/500 and UDP/4500.

 

I also created a security rule within the vsys allowing the same services to the loopback IP.

 

The problem I'm having is that VPN clients authenticate and connect, however can't pass any traffic successfully.

 

I'm testing using a simple ping from the VPN client to a switch behind the firewall.

 

After having done extensive captures from both ends and troubleshooting, I have verified the following:

  • Client traffic is encapsulated into UDP/4500 packets and sent to the firewall.
  • The firewall receives this traffic, decapsulates it and sends the ICMP echo request to the switch.
  • The switch sends an ICMP echo reply back to the client, which the firewall receives on the tunnel interface, but never encapsulates it and sends it back to the client.
  • I don't see anything in the logs in terms of drops or errors (though maybe I'm not looking in the right place).
  • The firewall itself can't ping the IP of the VPN client when connected (GP is configured in tunnel mode with an IP pool)

This shouldn't be a complicated setup, I have the exact same setup running on a firewall without multiple virtual systems enabled, and it works just fine, including being able to ping the same VPN client.

 

It just seems as though once the return traffic hits the tunnel interface, it either doesn't make it back to the loopback, or the loopback can't encapsulate and send back to the SG zone and out.

 

If anyone has any tips on troubleshooting this or something simple I might be overlooking, much appreciated.

0 Likes Likes
1 REPLY 1

adrianchung
L0 Member

‎10-30-2015 09:13 PM

Actually, looks like this may be related to 6.1.7 known issue 69458.

0 Likes Likes
  • 2646 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks