Unable to connect to Prisma Access Mobile Users - GlobalProtect from On premise network
11147
Created On 02/03/23 00:53 AM - Last Modified 02/15/23 03:16 AM
Symptom
Users from On-Premise (HQ or Sites which has service connection or Remote Network) public IP subnets are not able to connect to Prisma Access Mobile Users - GlobalProtect
Environment
- Prisma Access
- Prisma Access Panorma Managed
- Prisma Access Cloud Managed
- Prisma Access Service Connection
- Prisma Access Remote Networks
- Prisma Access Mobile Users - GlobalProtect
Cause
The Prisma Access Portal and Gateway FQDNs are routed towards the internet by Natting to the public IP address (Subnet) of the HQ or Remote Sites. These Public IP addresses (Subnets) are also advertised to Prisma Access Service Connection or Remote Network tunnel as well. As a result, the GlobalProtect connection traffic was coming to the Untrust zone (Ethernet 1/1 interface) but the portal firewall node had a return route to the Public IP from the trust zone (tunnel interface to the service connection). This will create asymmetric routing and the packet will be dropped.
For example, the company has 224.100.10.0/24 and 224.100.20.0/24 as public subnets used in the HQ site. HQ site has a tunnel established to Prisma access service connection from IP 224.100.20.20. From that tunnel, the subnet 224.100.10.0/24 is also advertised. The service connection will advertise the subnet to all the MU and RN nodes through iBGP. Also, 224.100.10.0/24 is also used as a NAT translation addresses for Internet-bound traffic. In this scenario, the globalprotect connection request goes from the Internet with the translated address of 224.100.10.0/24. However, the Mobile Users Portal firewall node already has a route for this subnet from the service connection.
Resolution
- Stop advertising the public IP address or subnet (which is used for NAT to translate Internet-bound traffic) from the Prisma Access Service Connection or Remote Network tunnel.