Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
02-24-2017 10:44 AM
Hi,
After I upgraded to our PA-3050 to PANOS-8.0, ios and android native clients (using ipsec xauth) don't work anymore. These clients can authenticate successfuly and get a valid IP from the gateway ip pool. But after this they can't access anything. There is no traffic logs shown with the vpn ip either.
Anybody using 8.0 can test if ipsec xauth is functional to see if its 8.0 upgrade or something else is wrong with my setup.
Thanks,
Rahman
02-24-2017 12:19 PM
Updating to 8.0 has a huge amount of risks for any production environment. The code is brand new and I would only recommend it in lab devices. It you updated and it broke things, you'll have to report it to support and let them know that is broke something. This kind of thing will most likely go on until 8.0.6.
- Peter
03-20-2017 10:58 PM
Can anybody test if 8.0.1 fixed the issue?
Thanks,
Rahman
06-23-2017 01:16 PM
I would harbor a guess that you will need to update to 8.0.2 if this is fixed in the 8.0 code yet.
06-26-2017 04:56 AM
Some phone models connects and receives an IP-Pool IP but it cannot reach the internal resources.
Motorola Moto Z Android 7 -> problem
Motorola Moto G3 Android 6 -> probelm
Motorola Moto Maxx Android 6 - > problem
Lenovo Vibe K6 Android 6 -> problem
Samsung Galaxy S7 Android 7 -> OK
Samsung Galaxy S4 Android 5.1 -> OK
Iphone 4 iOS 7 -> OK
Test with PAN-OS 8.0.2 and 8.0.3.
06-26-2017 07:17 AM - edited 06-26-2017 07:24 AM
Hi,
ls there a useful info in the ikemgr.log file:
> tail lines 100 mp-log ikemgr.log
Did you try to re-create a VPN profile on the affected client mobile phones?
10-21-2017 03:39 AM
I have same issue like this, I tried Huawei P9 andriod 7.0, SAMSUNG S7edge 7.0 sometime work , some time not. PAN-OS 8.0.4,7.1.11,7.0.12 same issue.
10-21-2017 12:32 PM - edited 10-21-2017 12:56 PM
Hi Guys,
We observed this for some users. Seems to be a recurrance of a previous bug.
Double check the auth type is 'Any' not 'any' for the portal config.
If using loopbacks for the portal can be an issue at previously , tested on 8.0.5 on pa-220 just now and connects fine with a loopback.
in the config double check the auth type has capital 'A'.
<global-protect-portal>
<entry name="external">
<portal-config>
<local-address>
<ip>
<ipv4>10.10.24.1</ipv4>
</ip>
<interface>loopback.1</interface>
</local-address>
<client-auth>
<entry name="local">
<os>Any</os>
<authentication-profile>local</authentication-profile>
<authentication-message>Enter login credentials</authentication-message>
</entry>
</client-auth>
<ssl-tls-service-profile>brookfieldlab</ssl-tls-service-profile>
</portal-config>
<client-config>
<configs>
<entry name="configGP">
<gateways>
<external>
<list>
added edit ;
double check the gateway config has a capital A as well.. 🙂
> configure
# set global-protect global-protect-gateway <gateway_name> client-auth <client_auth_name> os Any
# commit
best regards,
Rob
10-22-2017 11:34 PM
Hi,
This problem is not related to old bug that you mention. I have capital A in the portal/gateway configs and still has the issue.
global-protect-portal {
GP-Portal {
portal-config {
ssl-tls-service-profile web-gui-ssl-profile;
client-auth {
"Local&LDAP for Admins" {
os Any;
authentication-profile auth-sequence-gp;
authentication-message "Enter login credentials";
}
}
# show global-protect global-protect-gateway GP-EXT-XAuth-RSA
GP-EXT-XAuth-RSA {
roles {
default {
login-lifetime {
days 30;
}
inactivity-logout {
hours 3;
}
disconnect-on-idle {
minutes 180;
}
}
}
client-auth {
admins&standard-users {
authentication-profile auth-sequence-gp;
os Any;
authentication-message "Enter login credentials";
}
}
With 8.0.5:
-stock/stock like android 6.0 devices connect to VPN but no traffic passes, all traffic timeout on client side and there is no indication on PANOS logs that client traffic hits PANOS.
-Samsung android 7 devices connects to VPN but none of the traffic routed through VPN.
-LineageOS android 7 device works as expected.
Regards,
Rahman
10-24-2017 01:09 AM
Hi,
we have a case for this issue.TAC found the issue.
Fixed release is not known yet.
https://bugs.libreswan.org/show_bug.cgi?id=251
Regards
01-22-2018 05:53 AM
Hi
we have the same issue
Regards
01-22-2018 06:09 AM
Is this only phone access on native client or also for pc's native access?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
