- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-15-2017 09:16 AM
I recently upgraded my PA 5050 to 7.1.9. Before that users could connect to the VPN could connect via their native VPN client on their android phones and today I got a call saying one user no longer could and it was failing on the encryption. Any ideas?
06-16-2017 08:50 AM
Here it the resolution from the TAC case
We found errors for the invalid proposal from the client and it was due to changes in Global Protect fields post the upgrade of PAN OS 7.1 (Bug 94883)
>> Checked the configuration on the firewall for the Global Protect and found OS field contain value "any" instead of "Any" was the root cause of connectivity issue using the Native Client.
> configure
# set global-protect global-protect-gateway <gateway_name> client-auth <client_auth_name> os Any
# commit
>> Post the above changes for the OS field the native clients were able to connect to the Global Protect Gateway and we have verified the connectivity
06-15-2017 09:34 AM
My initial reaction would be to verify that your x-auth setting didn't get reset to default and verify that they are using the proper group name and group password. It could be that the x-auth setting got modified back to it's default state or that their phone is simply misconfigured, since it specifically failed on encryption I would really be looking at verifying that the group name/password match what is actually on the firewall.
06-15-2017 09:37 AM
I checked and x-auth is enabled
If it had changed wouldn't it have affected pc native clients too
06-15-2017 09:38 AM
What about skip x-auth on ike rekey would that cause it to fail? and would it cause it to fail on pc native clients and phone clients
06-15-2017 09:41 AM
If you are utilizing the PC's native client then yes. At that point I'm guessing it's something on the users phone if you have native clients connecting elsewhere; I would ask them to clear everything out and follow your setup instructions again, they could have inavertably modified something without realizing it. Another question to ask with an native client is if there device has updated recently, the OEM could have changed something on there end that the PA doesn't like.
06-15-2017 09:44 AM
Thing is its a not a regular user but a networking guy LOL. So it probably doesn't have anything to do with the upgrade to the new OS of 7.1.9 on the PA
06-15-2017 09:50 AM
I would say with 98% certainty that this has nothing to do with the update to 7.1.9 if you are having clients utilizing native clients currently without any issue.
06-15-2017 09:51 AM
Yes that was my thoughts as well since the release notes never mentioned any changed to the GP
06-15-2017 10:40 AM
@jdprovine wrote:I checked and x-auth is enabled
If it had changed wouldn't it have affected pc native clients too
Off topic: what OS do the computers have where you are using the native client?
06-15-2017 11:23 AM
I'm really interessted in the OS, just because with windows 10 I was not able to configure it. And the reason after a little troubleshooting was that paloalto does not support strong enough ciphers for windows 10.
06-15-2017 11:27 AM
so far I have tried it only on windows 8, I know you cannot configure the native client on windows 10 to work with the PA VPN, I am also going to test on a mac. I was also able to connect with the cisco vpn client and no longer can
06-15-2017 12:26 PM
would the tls version have anything to do with it
06-15-2017 12:29 PM
I don't think so because the native iOS / Android VPN clients do not connect with an SSL VPN tunnel. They use a plain ipsec vpn connection
06-15-2017 12:40 PM
so could it be a encryption issue something with isakmp
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!