Well we tried this and still having problems. In traffic monitor we just get random denies falling back down to our last rule we call block others (like a catch all deny rule). In this state seems the user can ping and trace but can't really "access" anything. Like you could ping a DC for example, but you cant RDP into it. Or ping an internal webserver, but again cannot access its webpage. Cant login to the phone system, or skype for business. Many of it says subtype eq deny, and action is drop.... for applications like msrpc-base, ms-ds-smb-base, DNS, SSL, ntp, cotp. However the source user IS correctly identified, and the allow rule for this user is high up, actually rule 7 in this case VPN Access - Information Technology and its allow domain admins, information technology, a vpn-it ad group, and a particular service account we sometimes use to rdp to a particular server. The thing is the destination is any / any / any and application and service are both any / any. So why would it deny on things like ssl. Its random, like I will have Outlook open and lock my screen one day and the next morning unlock my screen - I'm still connected to the VPN, Outlook is up to date. I'll work for an hour or two and then start getting connectivity issues. GP says I'm connected... the internet works fine (we split tunnel) but I can't access anything internal. I can ping but nothing else really. I can fire up another computer on Cisco Anyconnect just so I can see the firewall logs for my GP IP address, and my user name is still correct but its starting to deny applications that shouldn't be denied because we have it set to "any". We have a few testers and they seem to see that they log in and it goes from pre-logon to their user, GP says connected, but they can't access ANYTHING internal (except pinging things) for like 10 minutes! We initially had the Gp tunnel rename timeout at 200 seconds so there's enough time to allow login scripts to run, but we tried changing it to 0 and still nothing. We thought maybe a good working config would rename the tunnel WITHOUT disconnecting the user. At first I was ok for some time and then I would get into this random "state" of ping only, and we did seem to track it down to cookie auth expiring and renewing, so we disabled the cookies and did not fix. We then thought maybe its user id an its not thinking about moving from pre-logon to user or not detecting the user correct, so we tried that tweak above about disabling user id timeout. Then I noticed I would have these strange connectivity issues right around a HIP check, so I disabled that. Still nothing. We can't get this thing stable and we are supposed to finally fully migrate on it from a 100% stable working Cisco ASA next weekend. I can't move forward with that plan if we cant get 80 work from home users on a stable VPN. We've been sitting on these PA-3220's for a year now and just cant get it going. I'm almost regretting going with Palo and maybe I should have gone with our other contender, Fortigate. Were at a loss here.
... View more