GP assigning static IPs to clients

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GP assigning static IPs to clients

L2 Linker

Trying to understand why GP is assigning static IPs to GP clients. We are running GP 5.2.5 and the clients are getting assigned with static IPs, they are able to connect fine without any problem for now but one of the employee when she is working remotely had an issue with GP not having gateway address in there. I was able to get her going by putting GP gateway address in it. But not sure if this is normal or how this works. Any help would be appreciated.

6 REPLIES 6

Cyber Elite
Cyber Elite

@Akhil_B,

Your question isn't entirely clear. When a client connects to the gateway they are assigned a preferred IP, and absent a few conditions they will continue to utilize that preferred IP for any further connections. That is expected and totally normal behavior.

To be clear however, this is not the same as assigning a static IP to that endpoint. If you start running out of addresses in your address pool, the firewall will start re-assigning addresses from disconnected clients. So while addresses do largely stay the same when clients connect, it's not actually static and a number of conditions can get the client to pull a new address. 

 

Hope that's clear enough and what you're actually asking about. 

So, the scenario was something like this, One of the employee when she connected to VPN, she was not able to access the internet at all. But when disconnected from VPN everything works perfectly normal. Remaining all 80 users currently are doing fine without any problems. Now, when I checked her computer (Win 10), she had a virtual adapter installed and when I looked up at IPv4 settings of it, saw the GP IP was set to static with /32 subnet and no gateway in place. So, when I entered the gateway information her internet was working fine. So, no idea if the GP was supposed to have static or DHCP.   

@Akhil_B,

Sounds like something with the users route table got screwed up. This can happen depending on your agent settings and if you have IP overlap between the users local network and your enterprise network.

GlobalProtect by design doesn't assign a gateway to the virtual adapter and will always show a /32. It installs routes into the route table to handle the actual traffic routing so the endpoint knows how to route traffic. There's some instances where you can see this type of behavior when the local network overlaps your enterprise network depending on how you have certain options configured (such as any split-tunneling or allowing local LAN access when connected to GlobalProtect) which would cause the behavior that this user was experiencing. 

@BPry 

Yes, you are kind of getting closer. So, we do have a split tunneling in place. It has our enterprise networks included which makes if the destination IP is one of the IP which we included in split tunnel will cause it to travel from the tunnel, remaining all traffic travels from their local ISP. Now, for some reason I saw 192.168 network included in the split tunnel which is not part of our network And her local ISP had gateway with 192.168.1.1. So, I removed that network from our split tunnel and committed the changes but still it was causing her problems accessing internet until I put in tunnel gateway IP in there. 

 

Now, that being said, There might be n number of users that might have their local LAN in 192.168 right, I wonder why it happened particularly with her.

@Akhil_B,

To figure that out you really need to be looking at the users route table and see how it's being set. It's pretty evident that the issue the user is running into is routing related, so you kind of need to go from there as far as troubleshooting goes. 

@BPry 

I collected routing table from her machine and it looks weird now. Its got 2 default routes 192.168.... is her local ISP, 10.10.200.... is our GP VPN. I just put in def. G/W to her GP connection to just get her going for now, if I remove it she won't have access to internet if she is connected to GP. route table is as follows:

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.122 50
0.0.0.0 0.0.0.0 10.10.200.1 10.10.200.121 257
10.0.0.0 255.255.0.0 On-link 10.10.200.121 1
10.0.0.15 255.255.255.255 On-link 10.10.200.121 1
10.0.0.16 255.255.255.255 On-link 10.10.200.121 1
10.0.255.255 255.255.255.255 On-link 10.10.200.121 257
10.1.0.0 255.255.0.0 On-link 10.10.200.121 1
10.1.255.255 255.255.255.255 On-link 10.10.200.121 257
10.2.0.0 255.255.0.0 On-link 10.10.200.121 1
10.2.255.255 255.255.255.255 On-link 10.10.200.121 257
10.3.0.0 255.255.0.0 On-link 10.10.200.121 1
10.3.255.255 255.255.255.255 On-link 10.10.200.121 257
10.4.0.0 255.255.0.0 On-link 10.10.200.121 1
10.4.255.255 255.255.255.255 On-link 10.10.200.121 257
10.5.0.0 255.255.0.0 On-link 10.10.200.121 1
10.5.255.255 255.255.255.255 On-link 10.10.200.121 257
10.6.0.0 255.255.0.0 On-link 10.10.200.121 1
10.6.255.255 255.255.255.255 On-link 10.10.200.121 257
10.7.0.0 255.255.128.0 On-link 10.10.200.121 1
10.7.127.255 255.255.255.255 On-link 10.10.200.121 257
10.10.0.0 255.255.0.0 On-link 10.10.200.121 1
10.10.200.121 255.255.255.255 On-link 10.10.200.121 257
10.10.255.255 255.255.255.255 On-link 10.10.200.121 257
10.16.0.0 255.255.0.0 On-link 10.10.200.121 1
10.16.255.255 255.255.255.255 On-link 10.10.200.121 257
10.24.0.0 255.255.0.0 On-link 10.10.200.121 1
10.24.255.255 255.255.255.255 On-link 10.10.200.121 257
10.25.0.0 255.255.0.0 On-link 10.10.200.121 1
10.25.255.255 255.255.255.255 On-link 10.10.200.121 257
72.128.143.50 255.255.255.255 192.168.1.1 192.168.1.122 50
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.17.0.0 255.255.252.0 On-link 10.10.200.121 1
172.17.3.255 255.255.255.255 On-link 10.10.200.121 257
192.168.1.0 255.255.255.0 On-link 192.168.1.122 306
192.168.1.122 255.255.255.255 On-link 192.168.1.122 306
192.168.1.255 255.255.255.255 On-link 192.168.1.122 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.1.122 306
224.0.0.0 240.0.0.0 On-link 10.10.200.121 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.1.122 306
255.255.255.255 255.255.255.255 On-link 10.10.200.121 257
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.10.200.1 Default

  • 3662 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!