GlobalProtect failing after upgrading PanOS to 11.1.4

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect failing after upgrading PanOS to 11.1.4

L3 Networker

Dear all,

 

I have a very strange issue after I upgraded to 11.1.4

The mobile GlobalProtect client stopped working.

 

The network connection is unreachable or the portal is unresponsive.

 

I ran some packet captures and noticed that the firewall sees the SYN packets, but it never replies.

Nothing in the transmit stage pcap

 

Although I can see the connection attempts in the traffic logs.

They are aged out

 

out of curiosity I changed the settings for the sessions by entering:

set session tcp-reject-non-syn no


With this settings I can see also the SYN/ACK packets from the firewall back to the mobile device.

But it looks like these two streams are not recognized as being part of the same session?

 

Any idea how to further debug this issue?

 

Regards

   Andreas

1 accepted solution

Accepted Solutions

L3 Networker

Long story short:

It works again

 

TL;DR

the fact that I saw SYN packets received by the server without a reply and SYN/ACK sent by the server without being seen by the client made me thing about some strange case of asymmetric routing.

 

I have two ISPs, one primary and a secondary.

Primary ISP has a metric of 10, secondary 200 for the default route out via the respective interfaces.

 

When I checked services like whatsmyip I saw the IP of the primary ISP, which is also the one GlobalProtect is listening on.

But, when checking the virtual router runtime stats and looking at the forwarding table, it showed the route via the secondary ISP as being active.

 

No idea how in such a case I saw the IP from the primary ISP on whatsmyip

 

Anyway, after deleting and re-adding the secondary ISP interface everything started working again.

I now see in the runtime forwarding table that the primary ISP is used.

 

How did this happen after the upgrade and why the internal routing was screwed up?

I have no idea.

 

Regards,

   Andreas

View solution in original post

2 REPLIES 2

Community Team Member

Hi @idelconsulting ,

 

I'd start by grabbing and checking the GP debug logs.

These generally give a pretty good indication why the portal isn't responding.

 

Are you able to just browse to the portal ?

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L3 Networker

Long story short:

It works again

 

TL;DR

the fact that I saw SYN packets received by the server without a reply and SYN/ACK sent by the server without being seen by the client made me thing about some strange case of asymmetric routing.

 

I have two ISPs, one primary and a secondary.

Primary ISP has a metric of 10, secondary 200 for the default route out via the respective interfaces.

 

When I checked services like whatsmyip I saw the IP of the primary ISP, which is also the one GlobalProtect is listening on.

But, when checking the virtual router runtime stats and looking at the forwarding table, it showed the route via the secondary ISP as being active.

 

No idea how in such a case I saw the IP from the primary ISP on whatsmyip

 

Anyway, after deleting and re-adding the secondary ISP interface everything started working again.

I now see in the runtime forwarding table that the primary ISP is used.

 

How did this happen after the upgrade and why the internal routing was screwed up?

I have no idea.

 

Regards,

   Andreas

  • 1 accepted solution
  • 1297 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!