AnyConnect behind a Palo Alto PA-445 Firewall is not working. (Connection timed out)

Frank_Liebelt
Comes here often

AnyConnect behind a Palo Alto PA-445 Firewall is not working. (Connection timed out)

Hello everyone

 

I'm trying desperately to get clients via AnyConnect to an MX250 behind a PaloAlto.

 

Scenario:
Meraki cluster, virtual IP of WAN1 is IP 10.100.110.99/29.
The appliances themselves have 10.100.110.97/29 and 10.100.110.98/29 respectively.
VLAN 3521
Inbound Firewall Layer 3: ANY to ANY

On the MX, NO-NAT is enabled on WAN1.
Why? There are multiple VLANs on the MX. In order to create firewall rules for the individual LANs on the PaloAlto, these must arrive with an IP from the LAN and not with the NAT IP 10.100.110.99 of the MX.

 

The PaloAlto interface has the IP 10.100.110.100/29. VLAN is set.

 

Process:
Clients in local networks can access the Internet via WAN1->Palo Alto without any problems.
So outgoing connections work.

 

Now it's about incoming connections.
On the PaloAlto there is a PolicyBased Forwarding to get from the Meraki Cloud to the MX. That works too.

 

Now comes the AnyConnect problem.
On the PaloAlto there is a DNAT that sends incoming connections on port 444 (used for AnyConnect) over IP 10.100.110.100 to the MX 10.100.110.99.

 

These packages also arrive there. A package capture clearly shows me incoming connections from port 444 source 10.100.110.100, destination 10.100.110.99.
However, apparently no packages are going back to the PaloAlto from the MX.
There are no ACK packets, there is simply nothing, as if the MX discards the packets internally, but I can't change anything about it.

A capture on the Palo also shows no incoming data, no drops. It's just very, very quiet on the line.

 

 

Has anyone here already had experience with and/or has an idea of how I can get the scenario to run.

greeting

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

Meraki VPN Client does not work behind NAT.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Frank_Liebelt
Comes here often

HI

Thanks.


But this confuses me now. We had the setup with a Sophos UTM still working until a week ago.
The problem has only existed since we replaced the Sophos with the Palo Alto.
Ok, you would now say that the problem is the PA, because it worked before. The colleagues from PA see the problem with the MX as it does not give an answer.

 

And in between, as always, me.

alemabrahao
Kind of a big deal
Kind of a big deal

Well, This was supposed to not work, but:

 

  •  Verify UDP traffic on ports 500 and 4500 is not reaching the MX security appliance. Check the firewall rules or access control lists on all firewalls between the client and MX security appliance. 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
CptnCrnch
Kind of a big deal
Kind of a big deal

This is about AnyConnect, not the old L2TP over IPSec-Client, so there shouldn't be any issues.

 

Which protocol are you using? IKEv2 or SSL-VPN?

alemabrahao
Kind of a big deal
Kind of a big deal

My mistake, anyway you already tried to perform a packet capture, just to confirm that the client is reaching the MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Frank_Liebelt
Comes here often

Hi,

 

i had already written in the opening of this thread that you can see in the capture that the packets arrive on the MX, but nothing goes back from there.

The way (successful):
PUBLIC IP -> NAT IP WAN IF -> WAN1 IP MX
12.34.56.78 -> 10.100.110.100 -> 10.100.110.99

 

Capture from the MX:
573 6.365300 10.100.110.100 10.100.110.99 TCP 70 [TCP Retransmission] 22785 → 444 [SYN] Seq=0 Win=64240 Len=0 MSS=1452 WS=256 SACK_PERM

CptnCrnch
Kind of a big deal
Kind of a big deal

So DNAT is done on the Palo side for incoming traffic on TCP/444? By default, MX is listening for AnyConnect connections on TCP/443. Can you check which port is used on the MX (Server settings -> AnyConnect Port)?

Frank_Liebelt
Comes here often

The setting was of course already adjusted in advance.

 

What about the statement that AnyConnect does not work with NAT?
Is it somehow possible now?

Just confused as I have already passed this statement and AnyConnect over PaloAlto (DNAT) is considered failed.

Frank_Liebelt
Comes here often

Hi

Where can I decide which protocol I use?
AnyConnect definitely wants to connect via SSL port 444.
443 is already taken for something else, hence 444.

CptnCrnch
Kind of a big deal
Kind of a big deal

Sorry, could have thought about this, so SSL-VPN is perfectly OK in this case.

Get notified when there are additional replies to this discussion.