03-11-2022 09:55 AM
Hey everyone,
We are experiencing an interesting issue and was curious if anyone else has come across something similar. We have a mix of Windows and Mac endpoints, with multiple mobile user regional gateway locations. When connecting to one location (specifically UK location), our Mac systems simply will not connect. GP client continually 'loops' (connected/not connected/connecting). Mac systems connecting to any other regional gateway location work as expected. The issue does not appear for Windows systems -- those users can connect just fine to any gateway including UK.
I've had a TAC case open since September with limited success -- we are able to connect to a TAC UK gateway with our Mac's. This leads me to think it's "something" in the policy (Wildfire Inline ML perhaps??). This constant cycling between connected/reconnecting preventing us from fully deploying Prisma Access
Any thoughts/suggestions?
04-29-2022 08:35 AM
Thanks for the info!
It turns out the UK gateway received a #.#.#.0 address, which is a valid IP based on the subnet mask, but something in the way that Mac's handle this is as if it's a broadcast address. Palo Alto ended up changing the backend IP to an IP that did not end in zero.
04-27-2022 03:47 PM
As with prisma access only Palo Alto can do packet capture, check counters or flow logs the only thing you can check is the globalprotect agent PanGPS/PanGPA logs and on Panorma the Globalprotect logs. Also you can check the Portal config there is anything special for MAC devices as they can have a seperate policy even without HIP being enabled.
Also I don't renember if you could do a policy trace for Prisma Access on the Panorama as yoiu may have some security policy blocking the vpn for UK for MAC devices for example
Also it is interesting where your cortex data lake is located if this could be related but maybe not as palo alto would have seen this.
04-29-2022 08:35 AM
Thanks for the info!
It turns out the UK gateway received a #.#.#.0 address, which is a valid IP based on the subnet mask, but something in the way that Mac's handle this is as if it's a broadcast address. Palo Alto ended up changing the backend IP to an IP that did not end in zero.
05-01-2022 09:57 PM
@nikoolayy1 wrote:As with prisma access only Palo Alto can do packet capture, check counters or flow logs the only thing you can check is the globalprotect agent PanGPS/PanGPA logs and on Panorma the Globalprotect logs. Also you can check the Portal config there is anything special for MAC devices as they can have a seperate policy even without HIP being enabled.
Also I don't renember if you could do a policy trace for Prisma Access on the Panorama as yoiu may have some security policy blocking the vpn for UK for MAC devices for example
Also it is interesting where your cortex data lake is located if this could be related but maybe not as palo alto would have seen this.
Ohh thanks for the information sir,
@AaronRedd wrote:It turns out the UK gateway received a #.#.#.0 address, which is a valid IP based on the subnet mask, but something in the way that Mac's handle this is as if it's a broadcast address. Palo Alto ended up changing the backend IP to an IP that did not end in zero.
what, That i really don't known
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
