About NGS_SOC

as far as I know bonjour is a layer2 broadcast protocol and cannot traverse layer3 networks. If you have a different network for vpn client you need a bonjour gateway to do this. Aerohive Networks (Palo Alto tech Partner) does this kind of stuff. As an alternative you could give to your vpn client ips of internal lan but I don't recommend this solution. ... View more

Hi, I've an installation  similar to your scheme and I uses PA-3020  under  ASAs in A/A with 4 vwire. Active Active configuration and full state sync allow you to forget witch ASA is active passing traffic. ... View more

It works! for AndroidOS + IOs (Iphone/Ipad) To bad is not possibile creating multiple connection entry, also without GlobalProtect license neither the simple vpn client feature is available. I've to use the old cisco vpn config  🙂 I hope in the next release will be implemented also AndroidOS in GP configuration tab, for now only win & mac Oses are listed. ... View more

Hi, also I am unable to find the app. It should  work only if GP license is active on device. FOr a simple vpn client under android I use NCP VPN Client, does anyone find something else free? ... View more

set deviceconfig setting session tcp-reject-non-syn no I alway use this command in vwire mode, for me PAN should implement it as default In your case you used A/A but wouldnt it be sufficient to use two (or more) standalone PA-boxes aswell? Using two different separate boxes managed by Panorama could be a solution as well, but in the specific project vwire is only a part of the entire solution. I dedicated also ports for ly3 configuration and HA have to be configured. A/P was not the best choice so I decided to set A/A. Session sync is not an issue due to load-balance algorithm and the way how HA is porformed. In case of failure of one device (or cable) sessions are already duplicated from active-primary to active-secondary (and reverse) via HA2 and HA3 links, The issue is on log sparse on two different boxes but using panorama as global collector even this is not a major problem. Also HA license are less expensive than 2 separate ones. The docs you linked are about core switches similar to Cisco Nexus family, low latency hig performaces, but the configuration with multiple PAs in vwire absorbing etherchnnel single links,  is usable anyhow. Some months ago I found an interesting document,maybe a partner one I have to check, talking about PAN in datacenter, as soon as I found I'll post here. ... View more

Does the Zones belog to the same virtual router? If not, even with correct security rules, traffic won't flow. In static route you need only net and interface tunnel.1, no next hop Also pay attention to secuty acls, use zones, not the enforced network until connection is ok. ... View more

I suggest using Cisco Vpn Client 32 or 64 bit, it works like a charm. You need to activate X-Auth in GloblaProtect Gateway. ... View more

what is done is done 🙂 no turning back ... View more

I've a project as you described above, using a couple of PA-3020 in A/A with 2 vwire for each device (4 ports used  each). I configured a single trust zone for even ports and another untrust for odd ports. In my case etherchannel lacp between switch and switch does the dirty job, and is important to specify the round-robin algorithm with load-banlance ip-src-dst to fix traffic on a vwire.  I used different vlan in the same switch, for example coming out traffic from a vlan, inspect in PA, and than putting again into another vlan, same switch. I's also possibile using a different configuration with etherchannel ly3 (no switchport). Used switch : Cisco Catalyst 3750 nand 3560X In my experience I saw no limits in vwire except the number of ports; total vwire numbers  = floor[(total ports - ha ports) /2] The only drowback, except natural loss of routing and vpn, is avoiding inspected vlan traffic flowing agin into same vwire etherchannel, this could happen in multiple vlan tagged are present and switch does intervlan routing. ... View more

Cisco is opening Eigrp right now link I hope PAN will in the next future develop its version of Eigrp (IETF as an Informational RFC - this means that algorithm core will remain Cisco proprietary). This could be a interesting feature, much faster, simpler and reliable than ospf/rip. ... View more

Also dont forget the ssl-termination (dunno if Mega is compatible with this or not). do you mean ssl decryption or a peculiar configuration upon custom app id? ... View more

HI, i totally agree with you, a combination o app-id and url-based rule is the winning strategic solution. But first of all an app-id has to be built, i've defined protocols and networks for a custom app but i prefer working with an offical one. App-id cache pollution  was a nightmare in explaining to my customers and spamming youtube videos spred out panic 🙂 ... View more

4.1.8hf3 or 4.1.9 are useless for this problem, both tried in the last few days, always 60 min before automagic logoff,  I hope in later versions. 5.0 is not so stable, I saw strange behavior in my 2050s so until 5.0.3 i don't think planning upgrading too. ... View more