Global Protec

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protec

L2 Linker

We are migrating from Cisco any connect to Global protect. From our cisco any connect all SAP applications from Juniper Pulse VPN are working. However when we connect on Global protect all SAP applications are working except https://sap-portal.juniper.net. The policies are allowed correct and all routes are correct, split tunnels also are set correctly and NAT.

We check the monitor and we verified that routes are correct its just weird that specific route is not seen by our PA

 

Have you encounter this issue? Any suggestion would greatly appreciated.

 

 

12 REPLIES 12

L4 Transporter

Hello @weezy 

 

When you connect by GP, and the DNS that it assigns you, resolves the address of that URL ?

If you do nslookup and query by that FQDN, does it resolve ?

 

Thinking about the DNS that you have assigned for GP clients to use.

 

Regards

High Sticker

Yes it resolves the address of that URL when I do a NS look up. So just to give you a back ground. Our users from KUL site are using Pulse Secure VPN and Cisco any connect simultaneously and on any connect they can access all the SAP portals. Since we are migrating from any connect to GP we tried to have them to connect on GP and access all the SAP APP and everything works except  https://sap-portal.juniper.net , the routes are correct, policies are allowed, split tunnel permits the 10/8 address because that portal uses a 10.x.x.x.x network 

@weezy 

 

OK, Can you try put exactly network of the portal ? for example ? 10.1.1.100/32.

And then in th GP client check the routes to verified if the route is charging in the routes GP.

In 6.X Gp you can chek in Tshiit, advanced and routing table.

Try put in the split route, exactly route ( example: 10.1.1.100/32 ), logoff login from gp VPN an then test and check Log monitor, filter source your IP GP.

Try to do a ping a tracert from Client use GP to check if the route is going to another site, device or is looping in a parte of your network.


Cheers

High Sticker

The 10.x.x.x.x/8 is include on split tunnel and the address of that  https://sap-portal.juniper.net which is 10.x.x.x.x so technically it should be added. We had same issue with OKI site but we are able to fix it by adding host file for DNS. We already did it for KUL users and it seems that single SAP portal is not working, I have the user to connect on OKI VPN instead since they are configured the same way but still the user wsan't been able to access the SAP portal

Hello @weezy 

 

Yes, I know that it is contained in the 10.0.0.0.0/8 but to avoid that the packet can be lost in another computer that sends the traffic incorrectly, please enter in the split the exact address i.e. example 10.10.1.100/32.

Now if you tell me that they had to put in their host file the fqdn then it points to the issue being in the DNS.

Now how much do you connect to GP:

1.- First what DNS does it assign you ?
2.- Those DNS are able to resolve the fqdn of the sap portal ? nslookup ... etc.
3.- Now from the client connected by GP, you can do a telnet to port 443, this to validate that the port answers.
That is cmd. telnet sap-portal.juniper.net 443.
4.- When you are telnetting and/or trying from the client connected to GP to the URL and/or telnet to the port, go to the Palo Alto FW and check the log monitor, filter by IP and validate that there is a traffic log or not.
5.- Perform ping tests, do you reach it with a ping or trace ? the ip/fqdn sap-portal.juniper.net ?
In the exact segment, not the supernet 10.0.0.0.0/8, but the exact network segment where the sap-portal.juniper.net is, do you have another IP of that segment with which you can make tests and comparisons, if you reach it or not without problems from GP ?
7.- If you do not have base connectivity it will not respond, check that also the L3 switches and/or routers, Core, etc have the return route corresponding to the network segment that Global protect uses ( the network for GP endpoints clients ), if they do not know how to return the traffic to that network, when the connection is originated, the packet will be lost.
8.- Take traffic captures with Wireshark and/or from the PA and check if you can see any network problem.

Regards

High Sticker

weezy_0-1674608768344.png

Hi I did a ping test, and it shows that it enters the lan and exit the same lan interface and its aging meaning its not complete.

 

I did a nslookup both any connect and GP

above is connected to any connect while below is on GP

 

weezy_1-1674609137167.png

 

 

nslookup sap-portal.juniper.net
Server:  anyntp.juniper.net
Address:  66.129.233.81

 

Name:    sap-portal.juniper.net
Address:  10.197.14.9

 

Hello @weezy 

 

Did you add only the IP 10.197.14.9/32 to the GP SPLIT ? ... Do it. 
Ok, so if the ping does not complete then we may have a problem. If you have no response to ping then either the server/app has Ping disabled. As I mentioned before, do you have another device/server/printer, endpoint, that does respond to ping from GP on the same network segment as 10.197.14.9/sap-portal.juniper.net e.g. 10.197.14.5 ? 10.197.14.8 ? 10.197.14.3 ? or other to validate if something on that exact network segment responds to ping and responds correctly ? (Make sure you have the Palo Alto FWs security policies allowing this ping traffic).

Did you check if the L3/routers or intermediary devices have the return path to the GP network, i.e. the Network or subnet range that you indicated in the FW in the Global Protect config to assign to the endpoints with GP client.

In the Log Monitor traffic log, when you track the ping and telnet connection ( you did telnet 10.197.14.9/sap-portal.juniper.net port 443 , i.e. telnet command 10.197.14.9 443 ) you have only sent and not received bits ?

Now from a computer stopped on 10.197.14.X ( for example from the server or other device ) if you try to ping or trace to the FWs for example to a GP IP endpoint ( you must allow with security policy the traffic from trust to GP zone ) the trace at least reaches the GW of the FWs PAN ?

Cheers

High Sticker

The security polices are allowed,we have routing as well, we are not able to ping when I did monitor on traffic it age out only.

When I do a route print on users laptop this sap address 10.197.14.9 is pointed on juniper pulse VPN virtual interface 

Now its not pointed to any connect or GP but the thing is it doesn't work on GP

 

Hello @weezy 

 

I reiterate, are you sure that the range you are using in GP, i.e. the range or network you are using for GP, is a route known to your equipment ? Including Juniper ? knows how to return the traffic, when the connection comes from the GP network segment ? knows that the network, for example if your GP network is 172.16.90.0/24, Juniper Pulse, knows where to return the packet ?

And the other tests I mentioned ? another IP, telnet ? split ? have you tried ?

High Sticker

will try to add the /32 on split later and will update you. Thanks

But wait the OKI users have the same settings on KUL users since we added the host file for DNS on OKI that fix the issue it strange that is not working on KUl even though we have them to connect on OK IVPN instead, now for the range that you mentioned yes it is know to every device on our network

Issue has been resolved , we didn't made any changes to OKI firewall we just added a host file, now on KUL firewall we made changes to allow the traffic however it didn't worked. When we double check the host file it was empty and we re-added it and it fix the issue.

  • 3529 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!