Why Did Strict IP Address Check Break this VPN?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

@ms.jzam do you currently have the profiles running on the firewall?  If not they will not show up in the current configuration.

 

Also if you are pushing from Panorama then they will not show up on the local firewall configuration (sorry I didn't think to mention this before).  These configs can be shown on the local firewall however they only show as xml (there is no option to change this).

pa-firewall> show config pushed-template

pa-firewall> show config pushed-shared-policy

From Panorama CLI you can view these as well but it is more convoluted to get to a specific firewall config.

Panorama> set cli config-output-format set

Panorama# show device-group <pa-firewall>

Panorama# show template <pa-firewall> config network profiles zone-protection-profile

 

Highlighted
L2 Linker

@BrianRa  yes it was because of Panorama!  Thanks!

Highlighted
L2 Linker

@jdprovine

 

Anything new on this?

Highlighted
L4 Transporter

@ms.jzam

I am trying to find a maintenance window to test and collect logs and do a packet capture. I am hoping maybe i will get luck tomorrow morning though unlike other places I have worked most users are on the VPN during the work day instead of the off shift or I would have done it by now LOL :P

Highlighted
L4 Transporter

@ms.jzam

 

Amazing the VPN started to work again when I deselected Strict IP Address Check. 

Highlighted
L2 Linker

Ok that's two confirmations on fixing the issue.  I think this deserves to be bumped until we can sniff out a solid understanding of what's happening here.

 

BUMP!

Highlighted
Cyber Elite

@ms.jzam,

I would love to help on this but unfortenately I can't reproduce the issue at all. Unfortanetly the only way you can enable Packet Drop Logging is if your device is in Common Criteria (CCEAL4 Mode), which I doubt yours are; that would be something to check out though, because if they are you might get your why answer. 

Highlighted
L2 Linker

@BPry

 

Happy to provide more detailed configuration for any attempts at duplicating the issue.  What would be needed?

Highlighted
Cyber Elite

The exact ZP settings that you actually had selected at the time you ran into the issue; along with how you actually have the tunnel configured and the IP ranges being used on both sides. Then it would just be how your VPN was actually setup and configured. If you feel more comfortable sending this directly and not posting it on the forum just let me know and you can just email it over to me. 

Highlighted
L2 Linker

@BPry  I tried to find a DM feature, don't think there is one.  Happy to continue over email.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!