GlobalProtect client stuck on connection when workstation is on local network
👨💻
64845
Created on 09/26/2018 21:06 PM – Last modified 04/20/09 19:50 PM
sign of illness
When users whose computers with the GlobalProtect Client are installed are on the internal network, they will not be able to successfully connect to the GlobalProtect Gateway or Portal. The users trying to connect from the internet are working fine.
environment
a reason
The most common situation is when GlobalProtect Client users on the internal network try to connect to the portal or portal on the external interface. The connection fails because the firewall defines the connection as an internal connection to an external area and the firewall chooses an outbound NAT rule that translates the packet source address into the external interface’s IP address. Since the destination in the packet is already the IP address of the external interface, it now appears that the packet has the same source and destination IP address which could lead to an unintended LAN attack, thus Palo Alto Networks firewalls drop these sessions.
See the following link for more information: Unable to connect or ping a firewall interface
Precision
If GlobalProtect Portal licensing is enabled on the firewall, a better option may be to set up internal gateways and enable GlobalProtect Client to discover and connect to the internal gateway so that traffic is not tunneled when the user is already on the internal network.
To understand how internal portals work, see: GlobalProtect Administrator’s Guide
However, the above does not enable the internal user to connect to the external GlobalProtect portal. If access to the portal is still required, or if there is no authorization, a NAT policy can be configured that works as an exception for the outbound default NAT interface when the connection is on the firewall’s external interface only:
- Make a copy of the outgoing NAT rule.
- Place it over the current outgoing NAT rule.
- Change the name of the rule.
- Add the external interface IP address to the original packet destination address field.
- Change the translation source field to None.
This allows internal users to connect to the external portal or portal without going through source translation and fallout. If users connect to an external gateway, their tunnel traffic remains encrypted and sent over the internal network towards the external interface.
Owner: Astanton
attachments
[ad_1]
Don’t forget to share this post with friends !
