About GnContente

Hi, When you configure a SAML app you have to define a group of users that will be allowed to use the SAML app. APP not configured for user means that the user is not part of the Google group.   If I'm not wrong this google error also shows when the entity id or the ACS url are incorrect.They are case sensitive.   There is a chrome or ff extension named SAML tracer that you can use to get more of information. You can see the certificate that google is showing and see if it matches the one you uploaded to the firewall.   The FF error is regarding a corrupt certificate store.   HTH       ... View more

@reaper  I did, it shows exactly the same "failed to commit policy to the device".  To me it looks like some kind of bug. I am using the Python SDK to upgrade the PA devices and i dont understand why the function "upgrade_to_version" installs the base version as well.  ... View more

Please apologise for my ignorance, according to PA usernames are matched based on the user attributes that the firewall reads from the LDAP-compliant directory. Group mapping requires a LDAP server. Thus i conclude this cannot be done with SAML   PAT is whatt i am looking for as a solution, however i havent figure out how can configure multiple gateways using PAT and loopback interfaces. It would be nice to have an example as reference. ... View more

Hi, I have been looking for the same answer, by enabling SAML on the vpn you end up loosing functionality and you must have a mix of SAML and AD groups to keep being able to segment the VPN.   I have been browsing the community and found that you can possibly configure different gateways using loopback addresses, however no documentation I have found. After many tests and tries i was finally able to configure different gateways using NAT. However they only work with SSL.    If you wish to segment admin users from regular users without AD groups, this might be a good solution, since admin users do not require much bandwidth for admin related tasks.   HTH ... View more

Hi @BPry    Thank you for your reply. I do need to configure a full and split tunnel on the same public ip address, in fact i was able to achieve this by specifying which users are full tunnel in the agent > client settings. However for our deployment this is not very flexible, my client wants to be able to chose which type of VPN he/she wants. My objective is then to configure on the same firewall a full and split tunnel VPN using the same gateway of multiple gateways, i am actually intregued on how i could use NAT to achive this.    I was only able so far to find documentation about distributed gateways, it would be kind if you could provide some guidelines on how i could configure a full and split tunnel vpn on the same firewall or to point me out to proper documentation that i can read about.    TIA ... View more

Hi @JoergSchuetter   Thanks for replying, if i have a port-channel for each firewall on the downstream switch, i do not fully grasp why do i need "Enable in HA Passive State"?   TIA   ... View more

@BPry  The logs show the following: 2021-12-14 09:13:27.320 +0100 [PNTF]: { 3: }: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway VPN-PH1_BRB-P <==== ====> Initiated SA: 192.168.170.252[500]-213.41.102.4[500] message id:0x00000493 parent SN:2700 <==== 2021-12-14 09:13:27.320 +0100 [WARN]: { 3: 4}: selector VPN-PH2_BRB-P_T1018 src is ambiguous, using the first one of the expanded addresses 2021-12-14 09:13:27.320 +0100 [WARN]: { 3: 4}: selector VPN-PH2_BRB-P_T1018 dst is ambiguous, using the first one of the expanded addresses 2021-12-14 09:13:27.347 +0100 [INFO]: { 3: 4}: SADB_UPDATE proto=255 213.41.102.4[500]=>192.168.170.252[500] ESP tunl spi 0xB91C4A6D auth=NON-AUTH enc=AES256-GCM16/36 lifetime soft 378897/0 hard 432000/0 2021-12-14 09:13:27.347 +0100 [INFO]: { 3: 4}: SADB_ADD proto=255 192.168.170.252[500]=>213.41.102.4[500] ESP tunl spi 0xA3A1EB5D auth=NON-AUTH enc=AES256-GCM16/36 lifetime soft 349193/0 hard 432000/0 2021-12-14 09:13:27.347 +0100 [PNTF]: { 3: 4}: ====> IPSEC KEY INSTALLATION SUCCEEDED; tunnel VPN-PH2_BRB-P_T1018 <==== ====> Installed SA: 192.168.170.252[500]-213.41.102.4[500] SPI:0xB91C4A6D/0xA3A1EB5D lifetime 432000 Sec lifesize unlimited <==== 2021-12-14 09:13:27.348 +0100 [PNTF]: { 3: 4}: ====> IKEv2 CHILD SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; tunnel VPN-PH2_BRB-P_T1018 <==== ====> Established SA: 192.168.170.252[500]-213.41.102.4[500] message id:0x00000493, SPI:0xB91C4A6D/0xA3A1EB5D parent SN:2700 <==== 2021-12-14 09:13:27.350 +0100 [INFO]: { 3: 4}: SPI B91C4A6D inserted by IKE responder, return 0 0. 2021-12-14 09:13:27.354 +0100 [INFO]: { 3: 4}: SPI DCA1C63B removed by keymodify, return 0 0. 2021-12-14 09:13:27.355 +0100 [PNTF]: { 3: 4}: ====> IKEv2 CHILD SA DELETED AS RESPONDER, non-rekey; tunnel VPN-PH2_BRB-P_T1018 <==== ====> Deleted SA: 192.168.170.252[500]-213.41.102.4[500] message id:0x00000492, SPI:0xDCA1C63B/0xA3E51416 parent SN:2700 <==== 2021-12-14 09:13:27.357 +0100 [INFO]: { 3: }: ikev2_request_initiator_start: SA state ESTABLISHED type 3 caller ikev2_child_delete 2021-12-14 09:13:27.357 +0100 [INFO]: { 3: }: IKEv2 INFO transmit: gateway VPN-PH1_BRB-P, message_id: 0x000002E6, type 3 SA state ESTABLISHED 2021-12-14 09:13:27.357 +0100 [PNTF]: { 3: 4}: ====> IPSEC KEY DELETED; tunnel VPN-PH2_BRB-P_T1018 <==== ====> Deleted SA: 192.168.170.252[500]-213.41.102.4[500] SPI:0xDCA1C63B/0xA3E51416 <==== 2021-12-14 09:13:27.357 +0100 [INFO]: { 3: 4}: SADB_DELETE proto=255 src=213.41.102.4[0] dst=192.168.170.252[0] ESP spi=0xDCA1C63B2021-12-14 09:13:27.364 +0100 [INFO]: { 3: }: received DELETE payload, protocol ESP, num of SPI: 1 IKE SA state ESTABLISHED 2021-12-14 09:13:27.365 +0100 [INFO]: { 3: }: delete proto ESP spi 0xA3E51416 2021-12-14 09:13:27.365 +0100 [PWRN]: { 3: }: can't find sa for proto ESP spi 0xA3E51416   As i mention initially, this repeats every 4 seconds. Both phases are up on both ends of the tunnel, however on the side of the tunnel  were tunnel monitor is enabled, the tunnel interface is down and there is no decaps     On the other end apart from not having tunnel monitor enabled everything appears to be fine, i see packets encap and decap   This tunnel was working fine until it started to behave wierd.     ... View more

Hi @TomYoung    It is a bit late for that, the log has already been overwrittew. However if i recall the description was just saying that the tunnel was down.   thanks  ... View more