11-14-2024 02:17 AM
Hi all,
so a weird issue..
i have a pa1410 with multiple VPNs all working happy days.
I have one client with a linux software based FW (cant recall fw vendor)
we are using same ike/ipsec settings both ends all is good..
if i initiate vpn (test vpn ike-sa gateway xxxx) from Palo side, the VPN comes up and all is working..
however if client initiates phase1 nothing happens..
Palo FW packet capture shows their ike being dropped on the Palo for some reason and cannot figure out why. nothing in the logs either with session start enabled on my deny rules for tshooting this issue.
in ikemgr.log i also see nothing..
I have tried setting my ike gateway in passive mode but no luck also.
any ideas?
thanks in adv
11-14-2024 11:07 AM
Hello, I have found out that the Linux GP client has issues with it at times. I have suggested having the Linux users use "openConnect" which is a free download software. Below is the way that we have the users log into the VPN on it and it seems to work without any issues.
Just need to see what way works for you on it.
sudo apt install globalprotect-openconnect
sudo openconnect --protocol=gp -u username@<Domain Info> vpn.*.*/gateway or
sudo openconnect --protocol=gp -u username vpn.*.*/gateway
11-14-2024 10:24 PM
Hello @PA_nts
I suggest you to run a flow basic debuging: https://live.paloaltonetworks.com/t5/general-articles/tips-amp-tricks-flow-basic-debugging/ta-p/5459...
11-14-2024 10:39 PM
In the packet capture if you are seeing the packets are captured on the drop stage.
you can see the drop reasons using global counters. refer below kbs
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXOCA0
11-15-2024 12:47 AM
thanks for feedback.. issue fixed.
Did the global filters and found the following drop reason...
flow_policy_nat_land 1 0 drop flow session Session setup: source NAT IP allocation result in LAND attack
Then looked at my NAT rules and found my DNAT to be misconfiguration.. ouch 🙂
it had src zone set to 'any' with source net 'any' to dst zone 'untrust' zone and hide nat behind egress interface IP..
changed the sources from any to stipulate my internal network zones and networks, did a commit and issue solved.
cheers all!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
