We're in the process of labbing out and testing a pair of 5020s running PanOS 4.1. We've configured GlobalProtect per the TechNote guide, and other than one issue where we had to add a static route pointing the VPN address space at the VPN tunnel interface, we've been able to successfully VPN in using GlobalProtect (with some caveats, mentioned below). We're using OnDemand mode for testing, because that mirrors the VPN solution we have in place now. On both Windows and Mac OS X, coaxing the GlobalProtect client to connect seems at a bare minimum to be 'flaky.' In the testing I've done over the weekend, on OS X it seems as though the client successfully establishes a VPN connection (I can even ssh to devices across the VPN), but the little GlobalProtect GUI icon isn't made aware of this fact. This problem sees to manifest itself in Windows as well - the tunnel establishes, but the client isn't told that the GP virtual adapter has come up. See the screenshot for details - on OS X, the client is stuck in "Connecting..." mode, but the VPN tunnel is definitely up (I can ssh to devices in our lab!), but the client is essentially "stuck" - I can't disconnect or reconnect, all buttons are greyed out. I can go into Terminal.app and kill the GlobalProtect related processes and restart the client (or on the Windows side, restart the PanGPS service), but that's not palatable for our VPN users. We're going to end up with constant support calls with people complaining "this new VPN thing isn't working." On the 5020s we're running the latest stable PanOS (4.1.something - can't remember what the latest stable update is off the top of my head) and on the client side, GlobalProtect 1.1.4-8. Right now I'm on Mac OS X 10.6.8 (my home laptop), but the problem seems to be reproducible in Windows 7 as well. This is what the client currently looks like: I'm clearly connected to the VPN - the terminal window below this screenshot of GlobalProtect's 'Details' tab is a switch that's behind the VPN that I am ssh'ing into
... View more
