Palo Alto Networks Knowledgebase: GlobalProtect Pre-Logon Issue with Bluecoat User Agent

GlobalProtect Pre-Logon Issue with Bluecoat User Agent

2138
Created On 02/08/19 00:04 AM - Last Updated 02/08/19 00:05 AM
VPNs
Symptom

Symptoms

After deploying GlobalProtect with pre-logon enabled, clients running a bluecoat user agent (bcua) experience intermittent connectivity issues. A continous ping from the client to internal resources shows successful replies but after 40 - 50 seconds, the pings begin to time out. Connection will then get reestablished after a few minutes and the behavior will loop.

Diagnosis

The bcua creates a tunnel to Symantec Web Security Service (WSS) which means GP traffic is also tunneled. This causes intermittent connectivity.

 

This can be verified by running a packet capture on the client machine.

 

A few other ways to verify this is the case:

  • Check the client's public IP address; you can do this by doing a google search of "whats my ip address"
  • Verify if this is the IP address from the client's ISP or whether it belongs to Symantec. I used arin[dot]net to verify. If you get a Symantec IP address that would be an indication that a tunnel has been created to Symantec.
  • On the firewall, run the following commands as shown in the screenshot:

symantec_ipv2.jpg

 



Resolution

Symantec is aware of this issue and has provided a workaround in this link

Once the changes have been made, verify the IP seen by the firewall. This should be a non-symantec IP and connectivity should now be stable.

att_mifiv2.jpg

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkpCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language