Native VPN client on android phone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Native VPN client on android phone

L4 Transporter

I recently upgraded my PA 5050 to 7.1.9. Before that users could connect to the VPN could connect via their native VPN client on their android phones and today I got a call saying one user no longer could and it was failing on the encryption. Any ideas?

1 accepted solution

Accepted Solutions

Here it the resolution from the TAC case

 

We found errors for the invalid proposal from the client and it was due to changes in Global Protect fields post the upgrade of PAN OS 7.1 (Bug 94883)

>> Checked the configuration on the firewall for the Global Protect and found OS field contain value "any" instead of "Any" was the root cause of connectivity issue using the Native Client.

> configure
# set global-protect global-protect-gateway <gateway_name> client-auth <client_auth_name> os Any
# commit

>> Post the above changes for the OS field the native clients were able to connect to the Global Protect Gateway and we have verified the connectivity

View solution in original post

28 REPLIES 28

Cyber Elite
Cyber Elite

@jdprovine,

My initial reaction would be to verify that your x-auth setting didn't get reset to default and verify that they are using the proper group name and group password. It could be that the x-auth setting got modified back to it's default state or that their phone is simply misconfigured, since it specifically failed on encryption I would really be looking at verifying that the group name/password match what is actually on the firewall. 

@BPry

I checked and x-auth is enabled

If it had changed wouldn't it have affected pc native clients too

What about skip x-auth on ike rekey would that cause it to fail? and would it cause it to fail on pc native clients and phone clients

@jdprovine,

If you are utilizing the PC's native client then yes. At that point I'm guessing it's something on the users phone if you have native clients connecting elsewhere; I would ask them to clear everything out and follow your setup instructions again, they could have inavertably modified something without realizing it. Another question to ask with an native client is if there device has updated recently, the OEM could have changed something on there end that the PA doesn't like. 

@BPry

Thing is its a not a regular user but a networking guy LOL. So it probably doesn't have anything to do with the upgrade to the new OS of 7.1.9 on the PA

@jdprovine,

I would say with 98% certainty that this has nothing to do with the update to 7.1.9 if you are having clients utilizing native clients currently without any issue. 

@BPry

Yes that was my thoughts as well since the release notes never mentioned any changed to the GP


@jdprovine wrote:

@BPry

I checked and x-auth is enabled

If it had changed wouldn't it have affected pc native clients too


Off topic: what OS do the computers have where you are using the native client?

@Remo @BPry

For now I only have reports of issues with the native clients on an Iphone and an android phones no word about pc's yet

@jdprovine

I'm really interessted in the OS, just because with windows 10 I was not able to configure it. And the reason after a little troubleshooting was that paloalto does not support strong enough ciphers for windows 10.

@Remo

so far I have tried it only on windows 8, I know you cannot configure the native client on windows 10 to work with the PA VPN, I am also going to test on a mac. I was also able to connect with the cisco vpn client and no longer can

would the tls version have anything to do with it

I don't think so because the native iOS / Android VPN clients do not connect with an SSL VPN tunnel. They use a plain ipsec vpn connection

so could it be a encryption issue something with isakmp

  • 1 accepted solution
  • 8439 Views
  • 28 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!