Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
02-24-2017 10:44 AM
Hi,
After I upgraded to our PA-3050 to PANOS-8.0, ios and android native clients (using ipsec xauth) don't work anymore. These clients can authenticate successfuly and get a valid IP from the gateway ip pool. But after this they can't access anything. There is no traffic logs shown with the vpn ip either.
Anybody using 8.0 can test if ipsec xauth is functional to see if its 8.0 upgrade or something else is wrong with my setup.
Thanks,
Rahman
01-29-2018 06:49 AM
Hi,
I have found the problem with PAN-TAC. It happen in all PANOS 8.0 version and theGlobalProtect IPSec Crypto, now doesn´t support sha256, and all new Android phone from version 6 only use sha256. If you test with an Android version 5 will work fine. I don´t know why PaloAlto erase this option.
PAN-TAC said me, that they are working in a new feature to introduce the sha256 in news version, maybe in PANOS 8.0.8, but it is no sure.
When you connect an Andrroid in version 6 or later, if you use show vpn ipsec-sa command, you can see how the negotiation is sha256
Best Regards
Sergio
01-29-2018 08:33 AM
01-29-2018 11:30 AM
I haven't upgraded to 8 yet I am just gather information at this time, but if it break the VPN in anyway I want to know about it and how to fix it
01-29-2018 01:51 PM
Hi Guys,
Interesting one, tested again on 8.0.7 , no joy for android 6. IOS devices connect fine with the xauth. Client works best always anyways if the licence.
Have ye tried cert authentication for the androids on 6.0. Will check tomorrow, but with the cert based auth/client certs can have sha 256 if androids need that.
Might be a workaround to get ye out of the woods.
The gp client connects fine anyways, no licence needed for the gp client on version 8 on windows or macbooks. and IOS devices connecting fine using xauth from a quick check..
best regards,
Rob
01-30-2018 12:12 AM
hi,
There is not a solution yet. PAN-TAC told me that maybe in version 8.0.8 introduce this new feature, or in version 9. So, my recomendation is if you don´t need any new feature introduced in version 8, don´t upgrade.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
