To start off...
I have already read this.
https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-not-Detecting-Internal-Network-with-Internal-Host/ta-p/53681
I'll start off with the whole story. We have 2 ISP's, setup to our PA-500's using 2 VR's. One was setup for the DMZ Zone, with it's default out ISP 1. The Second VR was users internet, with the deafult route out ISP 2.
Initially GP was set up on ISP 1. Thus when users attempted to connect their sesssion would be NATed out ISP 2 back into ISP 1, with internal host detection working a treat and showed the little house on the GP sys tray icon.
My goal was to move all my services over to ISP 2. Turns out I couldn't just copy the existing NAT rules since the DMZ default route was out ISP 1, and any connection attempts would fail to due an incomplete hand shake. Welcome Symmetric Return !
So I got all my services to work with either external IP association. I then go to move our VPN to the shaw side using both proper DNS lookup for the portal/gateway and our own internal PKI. I fought tooth n nail and got the internal PKI setup workign just the way I want it to. Externally wokring a treat, so I attempt to connect internally, to my dismay I couldn't reach the external portal from inside the network. Checking my monitor Tab on the PA's I see no blocked traffic, I now it was getting droped somewhere in the PA, so i do a packet capture. Low and behold, my packets are geting dropped.
After talking to my uber smart network engineer, we had two options (NoNAT to my ISP 2 pub IP, or do a UTurn NAT to my ISP pub IP)
After making this config, I could ping and access the web portal no prob! YAY!
And finally to the point of this post, everything works now except internal host detection. and it's driving me up the wall, everything I read on it and how I know my configs are it should just work at this point. But it keeps connecting my client to the VPN DHCP pool and saying its connected and I can see the traffic on teh client system. Even though it's internally connected, (I can ping and resolve the internal host detection stuff from the client system perfectly fine)
to make it even weirder, When I change my portal IP to the ISP 1, internal host dtecttion works a treat change it back to ISP 2, and interanal host detection fails.
same internal host detection settings on both portal/user configs, same internal network.
Thoughts? I'm bashing my head on this one...
... View more