For details on cookie usage on our site, read our Privacy Policy
Global Protec
- LIVEcommunity
- Discussions
- Network Security
- GlobalProtect Discussions
- Global Protec
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Global Protec
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-22-2023 10:46 PM
We are migrating from Cisco any connect to Global protect. From our cisco any connect all SAP applications from Juniper Pulse VPN are working. However when we connect on Global protect all SAP applications are working except https://sap-portal.juniper.net. The policies are allowed correct and all routes are correct, split tunnels also are set correctly and NAT.
We check the monitor and we verified that routes are correct its just weird that specific route is not seen by our PA
Have you encounter this issue? Any suggestion would greatly appreciated.
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-23-2023 03:24 PM
Hello @weezy
When you connect by GP, and the DNS that it assigns you, resolves the address of that URL ?
If you do nslookup and query by that FQDN, does it resolve ?
Thinking about the DNS that you have assigned for GP clients to use.
Regards
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-23-2023 04:10 PM
Yes it resolves the address of that URL when I do a NS look up. So just to give you a back ground. Our users from KUL site are using Pulse Secure VPN and Cisco any connect simultaneously and on any connect they can access all the SAP portals. Since we are migrating from any connect to GP we tried to have them to connect on GP and access all the SAP APP and everything works except https://sap-portal.juniper.net , the routes are correct, policies are allowed, split tunnel permits the 10/8 address because that portal uses a 10.x.x.x.x network
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-23-2023 04:18 PM
OK, Can you try put exactly network of the portal ? for example ? 10.1.1.100/32.
And then in th GP client check the routes to verified if the route is charging in the routes GP.
In 6.X Gp you can chek in Tshiit, advanced and routing table.
Try put in the split route, exactly route ( example: 10.1.1.100/32 ), logoff login from gp VPN an then test and check Log monitor, filter source your IP GP.
Try to do a ping a tracert from Client use GP to check if the route is going to another site, device or is looping in a parte of your network.
Cheers
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-24-2023 04:44 PM
The 10.x.x.x.x/8 is include on split tunnel and the address of that https://sap-portal.juniper.net which is 10.x.x.x.x so technically it should be added. We had same issue with OKI site but we are able to fix it by adding host file for DNS. We already did it for KUL users and it seems that single SAP portal is not working, I have the user to connect on OKI VPN instead since they are configured the same way but still the user wsan't been able to access the SAP portal
- URL Filtering is not working for Global Protect users in Next-Generation Firewall Discussions
- Anyone got Global Protect 6.1.0 for Linux to work on Ubuntu 22.04? in GlobalProtect Discussions
- Need to Allow user to uninstall Global Protect with a Password in GlobalProtect Discussions
- GlobaProtec many accound and certificate on linux in GlobalProtect Discussions
- PA-300 induced high latency for GP clients with just 200Mbps troubput in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
