No Route on the Palo Alto Networks Firewall to Reach GlobalProtect Clients
Users cannot assign their preferred IP on GlobalProtect clients for their devices, and so it is mandatory for configuring a IP Pool on the Palo Alto Networks firewall. After user authentication, the firewall will assign an IP from its configured pool for the offered and available IPs. The firewall should automatically create a route through the configured tunnel interface.This auto generated route is used as a reverse route for replying to the connected GlobalProtect clients.
The firewall will generate a route for the offered/available IPs, only if tunnel interface is assigned on a virtual-router. The virtual-router should be chosen as per the traffic flow.
Bind VR to the tunnel interface (this tunnel should be the same configured on the GlobalProtect gateway):
Go to Network > GlobalProtect > Gateways > Client Configuration, below is the Tunnel Interface on the gateway:
Shown below is the User Authentication and IP Assignment:
Shown below, see routes for offered IP 220.127.116.11/32 through tunnel.55 and another route for 18.104.22.168/32 for the available IP on pool.
Route auto generation in default-VR:
Note: Even though it is an auto generated route, the firewall will flag it as active-static.