About pnelson

pnelson · ‎10-04-2021

Following up - Over the weekend I worked with the partner's engineer and we tore down and rebuilt the VPN on both sides and apparently fixed the issue. There have been no more SA drops. I suspect the issue was on the Cisco side as in a previous life I had to tear down/rebuild VPNs on ASAs a few times to cure unexplained weird behavior. I can't say for sure. Bottom line is that it's fixed. Pete

pnelson · ‎10-01-2021

Thanks for the response, BPry. Yes, the tunnel and this particular SA are actively passing traffic until this situation occurs. The broader perspective is that the host address that is my local side of the proxy ID/encryption domain is a PAT address being used by a few dozen users to connect to a host at the partner site. When Phase 2 renegotiates and this particular SA drops my users are actively accessing the host at the partner site and are disconnected - they see it happen and my phone immediately lights up. I'm sure TAC would like to analyze this while it's in a failed state but this is a critical system, my priority is to get it back into operation as quickly as possible. I've been working with VPNs for over 20 years on a variety of platforms. There have been a couple of times on Cisco ASAs where unexplained weirdness was solved only by tearing down the tunnel config and re-building it from scratch. Maybe this is one of those times. I've got nothing else. Pete

pnelson · ‎09-30-2021

I have a B2B tunnel with a business partner. There are 22 proxies, all defined host-to-host. The VPN peer is a Cisco firewall, I'm not sure of the model. Phase 2 lifetime is 8 hours. One particular SA stops sending and receiving traffic at each Phase 2 re-negotiation. When this happens the SA shows active on my PA-3250, PAN-OS 9.1.10 and on the partner's Cisco. On my side I see encaps and no decaps, on his side he doesn't see my traffic for this SA coming in. No other SAs in this tunnel experience this issue. The only way I have found to recover from this is to either bounce the tunnel (not desirable as it is in production and has other SAs that are just fine) or to remove the proxy for the affected host-to-host pair and re-add it. Either method works every time, until the next Phase 2 re-negotiation. This tunnel is not new, it has been running fine for a year+. There is nothing particularly special about this tunnel as compared with my 80+ other B2B VPNs. This started happening about a week after upgrading from PAN-OS 9.0.13 to 9.1.10, but that is essentially the only change and no other tunnels are affected. What could be affecting a single SA like this and not affecting the others within the same tunnel? The Cisco engineer at the business partner site is competent. We've compared his encryption domain against my proxies. We've made sure our SPIs match. He's working the same issue from his side and neither of us is pointing a finger at the other, it could be either firewall or both. Thanks. Pete

pnelson · ‎06-18-2020

SCCM version is 1910. Your GP settings look pretty much the same although we're set up so that our users have to be in a particular AD group. In the HIP profile we specify that the clients must be members of the domain. I'm not seeing any material difference. Pete

pnelson · ‎06-18-2020

Sorry, ColonelHawx, did not see your previous post. Connection Method is "On-demand (Manual user initiated connection)." Pete

pnelson · ‎05-29-2020

ColonelHawx, I had to go to my SCCM and DNS folks to give you a proper answer. SCCM guys say if your boundaries are good that's all you have to do there. My DNS people sent me this: "Because VCUHS.mcvh-vcu.edu [which is the domain of our user PCs] is also used by servers, we don’t allow every device using that domain to register with DNS. I had to add the Global Protect pool to the list of networks that are allowed to register [with our Infoblox DNS servers]." SCCM could not resolve PCs names to IP addresses until this change was made. That made it all work. I hope this helps! Pete

pnelson · ‎03-25-2020

Zach, your fix worked! THANKS!

pnelson · ‎03-25-2020

Thanks, Zach. I've allowed the traffic and will have my SCCM guys test.

pnelson · ‎03-25-2020

We just deployed and started using GlobalProtect 5.1.1 to support the work-from-home COVID-19 initiative for thousands of remote workers. Everything is working well but my SCCM guys can't manage any of the remote clients to push patches or software updates. Our internal DNS resolves the host names to the last LAN address of the host, not the IP pool address. The same things happens with Cisco AnyConnect clients. I don't know anything about AD or SCCM. Is SCCM management of remote hosts doable and if so, how are you doing it?

Member Since	‎11-13-2014 07:47 AM
Date Last Visited	‎05-23-2022 08:24 AM
Posts	9
Total Likes Received	3

Online Status	Offline
Date Last Visited	‎05-23-2022 08:24 AM

About pnelson

Re: One IPSec SA Stops Passing Traffic

Re: One IPSec SA Stops Passing Traffic

One IPSec SA Stops Passing Traffic

Re: SCCM management of remote GP Windows clients

Re: SCCM management of remote GP Windows clients

Re: SCCM management of remote GP Windows clients

Re: SCCM management of remote GP Windows clients

Re: SCCM management of remote GP Windows clients

Re: SCCM management of remote GP Windows clients

Re: One IPSec SA Stops Passing Traffic

Re: One IPSec SA Stops Passing Traffic

One IPSec SA Stops Passing Traffic

Re: SCCM management of remote GP Windows clients

Re: SCCM management of remote GP Windows clients

Re: SCCM management of remote GP Windows clients

Re: SCCM management of remote GP Windows clients

Re: SCCM management of remote GP Windows clients

SCCM management of remote GP Windows clients

Network Security

Cloud Security

Security Operations

About pnelson