Palo Alto Networks Knowledgebase: DotW: GlobalProtect Not Passing Traffic
DotW: GlobalProtect Not Passing Traffic
Created On 02/07/19 23:59 PM - Last Updated 02/07/19 23:59 PM
Mobile Network Infrastructure
This week's discussion focuses on user 'dusk2dusk' having issues with Layer 3 not passing through the untrust/internet interface at random times. Specifically, he is using GlobalProtect Large Scale VPN (LSVPN) to connect 55 current remote sites. On PAN-OS 6.1.2 on remote sites and 6.0.5h3 at hubs in the datacenter. He observed intermittent issues where routes to remote sites are not installed in the Routing Information Base (RIB) on the hub as a result the tunnel is declared active on both sides but there is no traffic passing between remote and hub. Also, on the satellite remote sites he is seeing a dataplane full lockup on Layer 3. The routing of traffic is not occurring until he reboots the dataplane or the entire firewall on remote sites.
The user 'dusk2dusk' has had this occur several times on different PA-200's and tried the following to remedy the issue:
Performed a firmware upgrade to PAN-OS 6.1.3
Examined router and determined the ARP entry for the Palo Alto Network firewall is present
Cleared ARP table
Repopulated with MAC/IP and it responds correctly
Rebooted the router (did not help the firewall pass Layer 3)
After further research, it was determined this was a bug and the issue has been fixed in PAN-OS 6.1.4.
Below is the official description of the issue:
Fixed an intermittent issue on VM-Series firewalls where GlobalProtect clients stopped connecting and displayed a Connection Failed error, possibly due to an encap/decap context leak. With this fix, the encap/decap context leak is no longer observed.