12-30-2020 05:37 PM
I am trying to route traffic out our new PA-820. Internet Access seems to be working as designed with URL filtering applied for our End Users.
The issue is with our Webex Video Units ( Room Kit Plus) that register to the Webex Cloud. Once I redirect the traffic from our Cisco ASA to the Palo Alto the Device, Video Endpoints will not register with the Webex Cloud. The show "offline" in the Webex Control Hub.
I have created a separate Universal Security Policy for the Webex Room Kit based on the Source IP to allow to: "any" Address, "any" Application, "any" Service, "none" Profile. I can see it hit the Security Policy. However, it will not register.
On the Palo:
1. I have disabled SIP ALG.
2. I have created a NAT rule Static IP Translation with bi-directional enabled
On our ASA, I don't have any specific rules to allow our Cisco Video Endpoints to register. Once I redirect the internet traffic back through the ASA the Webex Room Kit Plus registers.
Any assistance would be appreciated.
01-10-2021 02:42 PM
Thank you for the response. This was not a NAT issue. It ended up being the Application that was applied to the Security Rule for outbound traffic to the Internet for the Cisco Video Endpoints I had it filtered on "webex" only. Looks like the Cisco Video Endpoints also needed "cisco-spark" when registering to Cisco's Cloud. Once I added this element to the Application Group it worked as designed.
Palo Alto may want to consider adding "webex-audio-video" to the Webex Application Object since Cisco Spark is no longer used as a naming convention at Cisco.
Thanks!
01-04-2021 11:52 AM
Hello,
Make sure you have the logging enabled for the policies to log at session end so they show up in the logs. Then check the logs for issues. Also can any traffic pass through the PAN to the internet? On a hunch, for me it seems like a NAT issue, either not configured or incorrectly configured? Also check the default router for proper routing.
Regards,
01-10-2021 02:42 PM
Thank you for the response. This was not a NAT issue. It ended up being the Application that was applied to the Security Rule for outbound traffic to the Internet for the Cisco Video Endpoints I had it filtered on "webex" only. Looks like the Cisco Video Endpoints also needed "cisco-spark" when registering to Cisco's Cloud. Once I added this element to the Application Group it worked as designed.
Palo Alto may want to consider adding "webex-audio-video" to the Webex Application Object since Cisco Spark is no longer used as a naming convention at Cisco.
Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
