The IP address expected from the GlobalProtect gateway wasn't assigned

The IP address expected from the GlobalProtect gateway wasn't assigned

16175
Created On 04/08/20 07:27 AM - Last Modified 07/28/20 20:39 PM


Symptom


Sometimes there is a requirement that you need to assign different IP address ranges by User-ID for GlobalProtect users after Pre-Logon done.

To achieve this, the Administrator configured multiple IP address pools in the same GlobalProtect Gateway, but it does not work even enabling Rename setting.

Environment


GlobalProtect-Agent for Windows

Cause


Tunnel rename will not recreate the tunnel. Due to this, IP parameters will remain the same.
This means that the user will continue using the same IP address from the pre-logon pool even matching other IP pool settings.

Resolution


In order to force the IP address change, make sure the tunnel is re-established, with the following settings:
  1. Pre-logon tunnel rename timeout set to 0
  2. Using different gateway for pre-logon and user-logon stage

Note: On Mac clients, the tunnels will always be broken/re-established on rename.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPXSCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language