About bspilde

As with you all, I am experiencing user complaints about VPN connectivity and reliabilty.   One thing I have found today with one of the GP users is using what I'll call ISP C. Our company has two ISP's I'll call them ISP A and ISP B. A traceroute from either side shows traffic going to the client traversing over ISP A from the GP Gateway to reach ISP C. However, a traceroute from ISP C reveals it is traversing a path over ISP B to reach the VPN Gateway. I'm not sure if that has something to do with it or not just yet. It has been at least for this user, a problem more recently with things starting in September.   To add to it, I had a conversation with another engineer in the area at a reseller. He mentioned that he is having an issue at a client site with VPN users dropping randomly as well. They are using Cisco AnyConnect but the interresting thing is they share the same ISP C that our client is using. Not only that, but it is something that started occuring in the same timeframe as our client. These clients should have only one AS hop between their AS and our AS. I haven't confirmed the other path.   So, don't discount the idea that problems could just be ISP related. If anyone has any comments on asynchronous ISP paths using BGP please reply. I'd enjoy hearing them. ... View more

@Juan_R@reaper Juan, As you stated there is a way you can create an Authentication Policy and list a destination of Any for port 21 service aka FTP. This is supposed to prompt the GlobalProtect client over udp 4501 like you mentioned. The only way you can do the prompt without the GP client is to be using an HTTP or HTTPS website capable of doing a transparent or redirect to the captive portal.   I did beta testing of this on 8.0.0 with GlobalProtect for drive mappings or RDP and just a Captive Portal for a web site. It was successful. I however am trying to set this up for access restrictions to our datacenter by VPN users to a particular server before they can map a drive to that server. I am unsuccessful at this point and have a ticket open with TAC. In fact, now RADIUS has broken to Okta so I'm fixing that first. What I do see is that there is a UDP packet sourced from the protected resource and the GlobalProtect client is not picking up the packets.   If you decide to implement this and have success please post a comment! FYI you will need at least 8.0.13 or 8.1.3 due to a TLS 1.2 requirement bug in the firewall if using Okta MFA. ... View more

I didn't see PAN-95152 in the release notes for 8.0.13. However, after upgrading to 8.0.13 my MFA cert profile issue disappeared and is successfully authenticating users hitting authentication policies now.   I am not getting prompts in GlobalProtect for non-web based applications still. That doesn't work on 8.1.3 either. I had it working in the 8.0.0 beta but hadn't tried it out since but now have a use case. ... View more

I would recommend doing a static ARP entry for your public server IP addresses on the public routers. ... View more

I am getting a counter value for it on the firewall also:   > show counter global filter delta yes | match mfa appid_mfa_gp_notification                  1        0 info      appid     pktproc   notification message sent to GP client for MFA ... View more

I am having the same issue I believe. I have 8.1.3 and 4.0.7 GP and 4.1.5 GP clients all the same. If I packet capture I do see a UDP packet recevied on client over port 4501 as configured. However the source IP address appears to be the IP address of the protected resource, not of the trusted MFA Gateway.   I had this all working many many months ago and during the Beta of 8.0. I refreshed my MFA token knowning it was expired and then found it no longer works to prompt via GlobalProtect.   Everything is working just fine if it is a web site protected resource and use the standard man-in-the-middle style response page method. ... View more

Have you confirmed it works on Comcast with a different modem? I have seen issues with GlobalProtect working successfully through a couple specific modems used in Europe ISP markets. As soon as the user replaced the modem all was well. Prior to that connections were unsuccessful frequently or GP selected the wrong regional GP Gateway. AnyConnect to our Cisco ASA didn't seem to have any issues but I hadn't confirmed it was using IPSec vs SSL as the transport.   If you are using AnyConnect with xauth to a Palo Alto it would require IPSec but you could help exclude it being an ASA issue. Is it an IPSec or SSL AnyConnect connection dropping??   You might want to just setup a gateway for that user on GlobalProtect with IPSec disabled so it uses an SSL tunnel to see if that works more reliably for them until the ISP/modem issue is resolved (if ever).   I have offices on Comcast and have frequent drops but they are a Cisco router to PAN VPN gateway. We don't seem to have issues with PA to PA VPN's but have none of those on domestic cable modem based ISPs. ... View more

I've had repeated issues with ARP on public interfaces of the PA firewall. In my specific case we have two separate interfaces one for guest and one for corporate public internet access. The firewall randomly decides to send ARP replies from the wrong interface. Therefore we have made it a standard process that any and all non-guest interface IP's including new NAT entries have to be static ARP assignments on the public routers. This was supposedly fixed in a release long ago but we recently determined it still exists.               @SteveMcCall ... View more

Looks like it is in the masterd.log file when it occurs.   https://live.paloaltonetworks.com/t5/Management-Articles/Error-mgmtsrvr-virtual-memory-limit-exceeded-restarting/ta-p/65992   Also seems there was a bug related to the memory leak in 7.1.0 and 7.1.1 (93395). I'll make sure the customer isn't on one of those versions of code for some reason. ... View more

Also, this may not be specific to an 8.1.0 upgrade, that's just the event that caused me to experience it.   The other thing with the upgrade is it can clear out the %USERINPUT% and set it to "None" on the Auth Profile's UserName Modifier.   ... View more

Yes this resolution was via TAC and all is well now after resetting the database. ... View more

This command will provide you the majority of debugs that may be enabled.   show system state | match debug.level\|debug.pcap\|debug\.global\|monitor\.detail\.enable\|protect\.portal\.debug ... View more

Thanks Greg! Huge help for us. ... View more