Palo Alto Networks Knowledgebase: DotW: GlobalProtect Not Passing Traffic

DotW: GlobalProtect Not Passing Traffic

1960
Created On 02/07/19 23:59 PM - Last Updated 02/07/19 23:59 PM
Mobile Network Infrastructure
Resolution

dotw.png

 

This week's discussion focuses on user 'dusk2dusk' having issues with Layer 3 not passing through the untrust/internet interface at random times. Specifically, he is using GlobalProtect Large Scale VPN (LSVPN) to connect 55 current remote sites. On PAN-OS 6.1.2 on remote sites and 6.0.5h3 at hubs in the datacenter. He observed intermittent issues where routes to remote sites are not installed in the Routing Information Base (RIB) on the hub as a result the tunnel is declared active on both sides but there is no traffic passing between remote and hub. Also, on the satellite remote sites he is seeing a dataplane full lockup on Layer 3. The routing of traffic is not occurring until he reboots the dataplane or the entire firewall on remote sites.

 

The user 'dusk2dusk' has had this occur several times on different PA-200's and tried the following to remedy the issue:

  • Performed a firmware upgrade to PAN-OS 6.1.3
  • Examined router and determined the ARP entry for the Palo Alto Network firewall is present
  • Cleared ARP table
  • Repopulated with MAC/IP and it responds correctly
  • Rebooted the router (did not help the firewall pass Layer 3)

 

After further research, it was determined this was a bug and the issue has been fixed in PAN-OS 6.1.4.

Below is the official description of the issue:

Fixed an intermittent issue on VM-Series firewalls where GlobalProtect clients stopped connecting and displayed a Connection Failed error, possibly due to an encap/decap context leak. With this fix, the encap/decap context leak is no longer observed.

 

Additional documentation regarding other fixes in PAN-OS 6.1.4 can be found on the following link: PAN-OS 6.1.4 for PA-200 Platform Software Update

To read the entire discussion, see the following link: Layer 3 Stops Passing - All PAN-OS Versions incl. 6.1.3

 

If you have any additional questions regarding this discussion please leave a comment below. Thank you for your time.

 

Andrea Simon



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClX3CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language