This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Client successfully connects and get's IP but is unable to communicate to remote machine

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client successfully connects and get's IP but is unable to communicate to remote machine

rmcrae
L2 Linker

‎05-03-2021 03:55 PM

I managed to get GP VPN setup on my PA220 and get a Windows workstation to connect to it.  It gets assigned one of the IP addresses reserved for VPN clients.  When I attempt to connect RDP to a remote machines from this VPN client it fails.  The VPN client is x.x.x.195 and the target machine is x.x.x.18 in the same subnet.  When I check the monitor logs I can see incoming traffic from the .195 address but nothing coming back from the .18.  I started a WireShark trace on the network and I can see that the traffic is reaching the .18 address but the .18 address is not able to return to .195 because it is failing to ARP for .195.

 

What have I done wrong?

PA220 running PanOS 10.x

Windows 10 with latest 64bit  GP Client

0 Likes Likes
8 REPLIES 8

laurence64
L4 Transporter

‎05-05-2021 02:11 AM

Hi

 

Could you tell me where your VPN tunnel lands? does it terminate in the same zone as the RDP target ?

I have always found that it is a lot easier (as well as being best practice) to terminate your GP tunnel in a separate zone and then create the rules to and from that zone to your inside or DMZ.

I would say that a starting point would be to check the following

 

Zones that the Tunnel Terminates in (which Virtual Router is it using) 

Rules between the GP tunnel and the Zone that is hosting your RDP Target,

Then do a packet capture on the interface facing the RDP Target.

 

PCCSA PCNSA PCNSE PCSAE
0 Likes Likes

MP18
Cyber Elite
Cyber Elite

‎05-10-2021 04:55 PM

@laurence64 

 

Need to confirm why you configure VPN client IP pool and remote PC with same subnet?

Normally VPN pool IP is on different subnet then target PC subnet.

 

Please confirm this

MP
0 Likes Likes

rmcrae
L2 Linker

‎05-10-2021 04:59 PM

I've updated the config so the VPN addresses are in their own L3 subnet and zone.  I'm also fairly sure I updated the VR to make sure it had a route between the two as well as the security policy and PBF.  I opened a support case with tech support to figure this out.

0 Likes Likes

MP18
Cyber Elite
Cyber Elite
In response to rmcrae

‎05-10-2021 05:02 PM

@rmcrae 

 

Thanks for updating us.

Keep us posted what Tech figures out.

Also on PC where you are trying to RDP should have RDP enabled.

 

Regards

MP
0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks