03-30-2017 04:17 AM
Hi,
We realised after upgrading to 7.1.8 when we access to VPN GP using CISCO VPN CLIENT (IPsec) is not working. In previous version was working.
This is the error ikemgrlog:
2017-03-30 13:11:52 [PROTO_ERR]: isakmp_inf.c:1362:isakmp_info_recv_d(): delete payload with invalid doi:0.
2017-03-30 13:11:52 [INFO]: isakmp_inf.c:1411:isakmp_info_recv_d(): IKE ISAKMP KEY_DELETE recvd: cookie:3b6f56f729ca40bf:3490ba81070b347c.
2017-03-30 13:11:52 [DEBUG]: isakmp_inf.c:1418:isakmp_info_recv_d(): PH1 state changed: 12 to 14 [PHASE1ST_EXPIRED] @isakmp_info_recv_d
2017-03-30 13:11:52 [DEBUG]: isakmp_inf.c:1473:isakmp_info_recv_d(): purged SAs.
2017-03-30 13:11:52 [INFO]: ikev1.c:2533:log_ph1expired(): ====> PHASE-1 SA LIFETIME EXPIRED <====
Any issue using another VPN clients (not GProtect) in 7.1??
03-30-2017 08:38 AM
Can you confirm what the 'show' command output is in your case ?
Did you upgrade from an earlier 7.1 version or did you upgrade from 7.0 ?
From the release notes :
Fixed an issue on firewalls that were upgraded from a PAN‐OS 7.0 release to a PAN‐OS 7.1 release where GlobalProtect prevented third‐party IPSec (X‐Auth) clients from connecting to the GlobalProtect gateway. With this fix, you can now upgrade from a PAN‐OS 7.0 release to a PAN‐OS 7.1.2 or later release to prevent this issue. If your GlobalProtect firewall is already running a PAN‐OS 7.1.0 or 7.1.1 release, you must downgrade to a PAN‐OS 7.0 release before upgrading to a PAN‐OS 7.1.2 or later release to prevent this issue from occurring after the upgrade.
Note that the workaround I posted earlier should work for the issue described in the release notes.
If all else fails I'd suggest that you reach out to support so they can do some in depth debugging.
Cheers !
-Kiwi.
03-30-2017 05:03 AM
I've seen this in relation with PAN-OS 7.1 not accepting os = "any" (lower case)
Verify if Any is upper or lower case in your config :
> configure
# show global-protect global-protect-gateway <Gateway Name> client-auth auth-any auth-any { authentication-profile local; os Any; authentication-message "Enter login credentials";
If it is lower case you can fix it by forcing it to an upper case:
> configure # set global-protect global-protect-gateway <Gateway Name> client-auth auth-any os Any # commit # exit
If it's already correct then you might want to dig deeper.
Hope it helps !
-Kiwi
03-30-2017 06:55 AM - edited 03-30-2017 06:59 AM
We tried changing to Upper case but it didnt worked. With upper case we can not access with either global protect or CiscoVPN ipsec client,
03-30-2017 08:38 AM
Can you confirm what the 'show' command output is in your case ?
Did you upgrade from an earlier 7.1 version or did you upgrade from 7.0 ?
From the release notes :
Fixed an issue on firewalls that were upgraded from a PAN‐OS 7.0 release to a PAN‐OS 7.1 release where GlobalProtect prevented third‐party IPSec (X‐Auth) clients from connecting to the GlobalProtect gateway. With this fix, you can now upgrade from a PAN‐OS 7.0 release to a PAN‐OS 7.1.2 or later release to prevent this issue. If your GlobalProtect firewall is already running a PAN‐OS 7.1.0 or 7.1.1 release, you must downgrade to a PAN‐OS 7.0 release before upgrading to a PAN‐OS 7.1.2 or later release to prevent this issue from occurring after the upgrade.
Note that the workaround I posted earlier should work for the issue described in the release notes.
If all else fails I'd suggest that you reach out to support so they can do some in depth debugging.
Cheers !
-Kiwi.
03-30-2017 11:40 PM
You were right. We needed to write "Any" with uppercase by CLI. Its not working if you write it on WebUI.
I hope PA solves this in new releases. Thaks a lot.
03-31-2017 12:14 AM
That's awesome ! I'm glad it worked out !
Cheers !
-Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
