GlobalProtect Client Stuck at Connecting when Workstation is on the Local Network

GlobalProtect Client Stuck at Connecting when Workstation is on the Local Network

94433
Created On 09/26/18 21:06 PM - Last Modified 04/29/20 19:50 PM


Symptom


When users whose computers installed with GlobalProtect Client are on the internal network, they are not able to successfully connect to the GlobalProtect Gateway or Portal.  Whereas, users attempting to connect from the Internet work fine.

Environment


  • Pan-OS
  • Global Protect

Cause


The most common situation is when the GlobalProtect Client users on the internal network attempt to connect to the gateway or portal on the external interface.  The communication fails because the firewall identifies the communication as internal to external zone communication and the firewall chooses the outbound NAT rule which translates the source address of the packet to the external interface IP address. Since, the destination in the packet is already the IP address of the external interface the packet now appears to have the same source and destination IP address which would create an unintentional LAN attack, thus the Palo Alto Networks firewalls drops these sessions.

 

See the following link for more information: Unable to Connect to or Ping a Firewall Interface

 

Resolution


 

If the GlobalProtect Portal license is enabled on the firewall, the best option may be to setup internal gateways and enable to GlobalProtect Client to discover the internal gateway and connect to it so that traffic is not tunneled when the user is already on the internal network.

To understand how internal gateways work, see: GlobalProtect Administrator's Guide

 

However, the above does not enable the internal user to connect to the external GlobalProtect Portal. If access to the portal is still required, or if there is no license, then a NAT policy can be configured which acts as an exception to the default outbound NAT when the communication is only to the firewall external interface:

  1. Make a clone of the outbound NAT rule.
  2. Place it above the current outbound NAT rule.
  3. Change the name of the rule.
  4. Add the IP address of the external interface to the original packet destination address field.
  5. Change the source translation field to None.

This allows internal users to connect to the external gateway or portal without going through a source translation and getting dropped.  If the users are connecting to an external gateway, their tunnel traffic will still be encrypted and sent through the internal network toward the external interface.

 

owner: astanton
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm65CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language