Thanks for the feedback I looked at the logs on one of the clients and it can see it trying to connect using ipsec but failing. Logs: - Trying to do ipsec connection to IP_Address [4501] - Network is reachable - Connected to: IP_Address [4501], Sending keep alive to ipsec socket - failed to receive keep alive - IPSec anti-replay statistics: outside window count 0, replay count 0 - Disconnect udp socket This happens with every client (all Windows 10 clients with standard configurations, including mine), so I am leaning toward it being a firewall issue. Pan-OS is 9.1.8 and GP Client is 5.2.5-c84. I was thinking of trying to add a 2nd external ip address and bypassing loopback set up as well as creating a test environment separate from what's being used in production but I wasn't sure how. Sounds like if my external interface was an ip address of 1.1.1.1/29, I can add 1.1.1.2 as a 2nd ip address, create a new tunnel and VPN security zone, use the same authentication, certificate profiles and test the set up. I will update this post if I see anything else in the logs
... View more