About SteveBallantyne

SteveBallantyne · ‎04-15-2021

As someone who just upgraded to 5.2.6 I can tell you that upgrading doesn't fix it! 🙂 I am tired of being asked what this message means. So I am throwing in the towel and unchecking IPSec. PA support - please fix it. Super annoying.

SteveBallantyne · ‎12-31-2020

I just got off of a Zoom session with PA support. They did some further digging into the session flows via the CLI and came to the conclusion that my packets are coming into the Palo, but the return path is broken on the FortiGate side of things. Since the session is never fully establishing (no ACK), the tunnel inspection is not kicking into gear. That is, the *intent* to inspect is there, but the conversation is one-way. I have already engaged FortiNet support - now it's a waiting game. I will share some information and configuration examples if we can ever sort this out, as I couldn't find a lot of useful documentation on their side. And I know there are many customers out there with Palo's in the main office, and "baby firewalls" at their remote sites.

SteveBallantyne · ‎12-31-2020

That is helpful, thank you. I am beginning to think that this is an issue on the Fortigate side. Although the strange thing is that it looks like the packets are emerging from the Fortigate side "in tact" and the Palo is just dropping them. Here is an example ... I have a test phone that I put a static IP onto, 10.50.80.10. It's on VLAN 580. Then I have a phone server on the Palo Alto side, 10.10.70.10. I ran a packet trace on the Palo, filtering for the phone IP. It seems that the packets are assembled with the correct VLAN and the correct VXLAN VNI of 1001. But they are dropped, and as noted the Tunnel Inspection is not being performed. I have a case open with support - but not getting any feedback after the first 24 hours. 🙂

SteveBallantyne · ‎12-30-2020

Hello community, I am attempting to create a VXLAN over IPSec solution between my PA-3250 and a remote Fortinet FortiGate 61E. I have managed to get things configured correctly on the FortiGate (I think) as I am seeing the traffic entering on the Palo side. I am using Tunnel Inspection on the Palo side and it appears to be set up correctly. In the Monitor > Tunnel Inspection on the Palo, the traffic can be seen there. Even though when I click the magnifier to take a deeper look on the flow the "Tunnel Inspection" checkbox is NOT checked, which seems strange to me. I created a security rule for phone traffic and I am seeing that traffic pop into my standard Palo Monitor > Traffic > Logs. But the applications are all coming up "Incomplete". I am also not able to ping back and forth. So it appears everything works - with the exception of the routing. And I am not sure how to fix that? Has anyone here done multiple VLAN's over a VNI using VXLAN over IPSec? If so - how did you get your traffic to *route* correctly?

SteveBallantyne · ‎06-23-2020

I would like to throw a +1 to this request! It seems ridiculous that to me that the "test email" button just sends a blank email. Why not attach the actual reports to it also? I shouldn't have to wait 24 hours to see what the report is going to look like. 🙂

SteveBallantyne · ‎07-24-2019

I ended up upgrading (or in this case *downgrading*) my secondary to 9.0.0 and that worked. So then I was able to upgrade my primary to 9.0.0 without any issues. None of my VPN tunnels came back up on their own, which was a little disheartening. I had to go into the CLI and do a "test vpn ike-sa gateway <tunnel name>" on every single one of them. But my upgrade is complete and functional for now.

SteveBallantyne · ‎07-24-2019

Also - my secondary now shows "HA not enabled" on the Dashboard, even though it's still configured?

SteveBallantyne · ‎07-24-2019

Hello community - I have a case open with support, but I am looking to see if anyone else has an idea for me while they are looking at my tech support files. I attempted to upgrade an active/passive HA pair following the Palo Alto Doc. I upgraded the secondary from 8.1.4-h2 to 9.0.3 and rebooted. I am now at the step where I would suspend the primary and fail over to the secondary. But my HA pair is broken. Here is what shows on the Dashboard of my primary ... Mode Active-passive Local Active Peer (172.17.1.11) Unknown Running Config Synchronized App Version Unknown Threat Version Unknown Antivirus Version Unknown PAN-OS Version Match GlobalProtect Version Unknown HA1 Down HA1 Backup Down HA2 Down I find it odd that it shows a version match for the PAN-OS Version, when in fact, the secondary is running 9.0.3?

Member Since	‎07-24-2019 09:01 AM
Date Last Visited	4 weeks ago
Posts	8
Total Likes Received	2

Online Status	Offline
Date Last Visited	4 weeks ago

About SteveBallantyne

Re: Globalprotect 5.2.5 popup message

Re: Trouble routing VXLAN traffic as it enters the outside interface

Re: Trouble routing VXLAN traffic as it enters the outside interface

Trouble routing VXLAN traffic as it enters the outside interface

Re: Manually run report schedule

Re: Globalprotect 5.2.5 popup message

Re: Manually run report schedule

Re: Trouble routing VXLAN traffic as it enters the outside interface

Re: Manually run report schedule

Re: Manually run report schedule

Re: Globalprotect 5.2.5 popup message

Re: Trouble routing VXLAN traffic as it enters the outside interface

Re: Trouble routing VXLAN traffic as it enters the outside interface

Trouble routing VXLAN traffic as it enters the outside interface

Re: Manually run report schedule

Re: Failed active/passive HA Upgrade from 8.1.4-h2 to 9.0.3

Re: Failed active/passive HA Upgrade from 8.1.4-h2 to 9.0.3

Failed active/passive HA Upgrade from 8.1.4-h2 to 9.0.3

Network Security

Cloud Security

Security Operations

About SteveBallantyne