Traffic from GlobalProtect stop working after upgrade from 8.1.11

Reply
Highlighted
L0 Member

Traffic from GlobalProtect stop working after upgrade from 8.1.11

Hi,

I have two PaloAlto 3020 in an active-passive cluster. PanOS 8.1.11 is nstalled on both. Everything works correctly, internal traffic, traffic from GP Client, vpn tunnels. GP clinets connect, sends HIPs, Palo recieves this HIPs, traffic is passing trough according to rules.

The problem is that when I updated one cluster node from version 8.1.11 to 8.1.12 (but checked 8.1.13, add 9.0.8 also) and switch active node to this, using newer software, traffic from the GP client is not passing trough.
The GP client connects, sends HIPs, Palo recieves this HIPs, but GP traffic does not pass. And there are no traffic logs from GP clients.

The update passed without errors and internal traffic works correctly. Everything except GP traffic.
Does enybody have suggestions what coud be a problem?

 


Greetings
Jacek

 

 

Highlighted
L3 Networker

Re: Traffic from GlobalProtect stop working after upgrade from 8.1.11

Hello @Jacek_Loszewski 

 

Check for the user names listed in the logs (compare it with the ones from the working PAN). If the user name (format) is not different, then you need to adjust the authentication profile.

Highlighted
L0 Member

Re: Traffic from GlobalProtect stop working after upgrade from 8.1.11

@JoergSchuetter- thank you for your reply. You were right. There is a problem with format of the user names.
domain: acme.local - UPN: user@acme.local

domain name (pre-win200) is: Dom so sAMAccountName format is: Dom\user

 

When active node is the one with older software, in HIP log, we have user name in sAMAccountName format- everything working fine.
When we switch the active node (to the one with newer software) and make a GP connection we have something like this: acme.local\user
And thats why traffic in not passing trough the policy rules. So, as you say, we need adjust authentication profile.

I don't know how yet, but I hope it will work soon

 

Greetings

Jacek

 

Highlighted
L3 Networker

Re: Traffic from GlobalProtect stop working after upgrade from 8.1.11

Hello @Jacek_Loszewski 

 

I have set the following on my authentication profile (Kerberos):

Realm: ACME.LOCAL (all in capital letters)

User Dmonain: dom (we have all in lower case, not sure if Dom would also work)

Username Modifier: %USERINPUT%@ACME.LOCAL

 

Joerg

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!