VPN clients IPsec vendors

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN clients IPsec vendors

Hi,

 

We realised after upgrading to 7.1.8 when we access to VPN GP using CISCO VPN CLIENT (IPsec) is not working. In previous version was working.

 

This is the error ikemgrlog:

 

 

 

2017-03-30 13:11:52 [PROTO_ERR]: isakmp_inf.c:1362:isakmp_info_recv_d(): delete payload with invalid doi:0.
2017-03-30 13:11:52 [INFO]: isakmp_inf.c:1411:isakmp_info_recv_d(): IKE ISAKMP KEY_DELETE recvd: cookie:3b6f56f729ca40bf:3490ba81070b347c.
2017-03-30 13:11:52 [DEBUG]: isakmp_inf.c:1418:isakmp_info_recv_d(): PH1 state changed: 12 to 14 [PHASE1ST_EXPIRED] @isakmp_info_recv_d
2017-03-30 13:11:52 [DEBUG]: isakmp_inf.c:1473:isakmp_info_recv_d(): purged SAs.
2017-03-30 13:11:52 [INFO]: ikev1.c:2533:log_ph1expired(): ====> PHASE-1 SA LIFETIME EXPIRED <====

 

Any issue using another VPN clients (not GProtect) in 7.1??

1 accepted solution

Accepted Solutions

Hi @Es_tecsupportsecurity,

 

Can you confirm what the 'show' command output is in your case ?

 

 

Did you upgrade from an earlier 7.1 version or did you upgrade from 7.0 ?

 

From the release notes :

 

Fixed an issue on firewalls that were upgraded from a PAN‐OS 7.0 release to a PAN‐OS 7.1 release where GlobalProtect prevented third‐party IPSec (X‐Auth) clients from connecting to the GlobalProtect gateway. With this fix, you can now upgrade from a PAN‐OS 7.0 release to a PAN‐OS 7.1.2 or later release to prevent this issue. If your GlobalProtect firewall is already running a PAN‐OS 7.1.0 or 7.1.1 release, you must downgrade to a PAN‐OS 7.0 release before upgrading to a PAN‐OS 7.1.2 or later release to prevent this issue from occurring after the upgrade.

 

Note that the workaround I posted earlier should work for the issue described in the release notes.

 

If all else fails I'd suggest that you reach out to support so they can do some in depth debugging.

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

5 REPLIES 5

Community Team Member

Hi @Es_tecsupportsecurity,

 

 

I've seen this in relation with PAN-OS 7.1 not accepting os = "any"  (lower case)

 

 

 

Verify if Any is upper or lower case in your config :

 

> configure
# show global-protect global-protect-gateway <Gateway Name> client-auth auth-any auth-any {   authentication-profile local;   os Any;   authentication-message "Enter login credentials";

If it is lower case you can fix it by forcing it to an upper case:

 

> configure
# set global-protect global-protect-gateway <Gateway Name> client-auth auth-any os Any
# commit
# exit

If it's already correct then you might want to dig deeper.

 

Hope it helps !

-Kiwi

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

We tried changing to Upper case but it didnt worked. With upper case we can not access with either global protect or CiscoVPN ipsec client,

Hi @Es_tecsupportsecurity,

 

Can you confirm what the 'show' command output is in your case ?

 

 

Did you upgrade from an earlier 7.1 version or did you upgrade from 7.0 ?

 

From the release notes :

 

Fixed an issue on firewalls that were upgraded from a PAN‐OS 7.0 release to a PAN‐OS 7.1 release where GlobalProtect prevented third‐party IPSec (X‐Auth) clients from connecting to the GlobalProtect gateway. With this fix, you can now upgrade from a PAN‐OS 7.0 release to a PAN‐OS 7.1.2 or later release to prevent this issue. If your GlobalProtect firewall is already running a PAN‐OS 7.1.0 or 7.1.1 release, you must downgrade to a PAN‐OS 7.0 release before upgrading to a PAN‐OS 7.1.2 or later release to prevent this issue from occurring after the upgrade.

 

Note that the workaround I posted earlier should work for the issue described in the release notes.

 

If all else fails I'd suggest that you reach out to support so they can do some in depth debugging.

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

You were right. We needed to write "Any" with uppercase by CLI. Its not working if you write it on WebUI.

 

I hope PA solves this in new releases. Thaks a lot.

Hi @Es_tecsupportsecurity,

 

That's awesome ! I'm glad it worked out !

 

Cheers !

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 1 accepted solution
  • 3532 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!