Unable to access Globalprotect VPN

Started by Kets_One, February 27, 2025, 07:25:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 27, 2025, 07:25:10 PM Last Edit: February 27, 2025, 07:45:01 PM by Kets_One
Hi everyone,

Hope someone can help me.
Been busy for a few days already trying to find the soluton for a Globalprotect connection issue i cannot seem to be able to fix.
Symptom is that a pc on LAN interface usually has a hard time connecting to corporate Globalprotect VPN.
Only just after bootup of opnsense firewall it succeeds, subsequent tries get harder and harder (sometimes it only wants to connect to Company Chinese Globalprotect gateway).

Liveview of firewall action yielded the following default deny by rule no. 10 as a part of the automatically generated firewall rules.
Rule 10 sounds: @10 block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"

Initially thought that it might have something to do with MTU setting, but now i lean more towards stateful connection tracking or SYN issue.
None of the stateful settings or SYNcookie settings help.
Since it is an automatically generated rule i cannot remove or change its parameters.
I'll try to get more information.

Thanks,
February 27, 2025, 08:06:24 PM #1
Do you have configured any rules other than the one from out of the box?

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
February 27, 2025, 10:06:19 PM #2 Last Edit: February 27, 2025, 10:08:02 PM by Kets_One
Thanks for looking into this!
Yes i operate a few NTP timeservers, so these have NAT port-forwarding as well as WAN rules.

Floating rules: none
LAN rules: none (only default allow LAN->any rule)
WAN rules: Two rules to allow for incoming NTP (UDP) traffic to timeservers to be GeoIP filtered and routed to them from WAN to LAN.
IPv6 UDP   ! GeoIP    *   Timeserver 123 (NTP)   *   *      NTP Traffic Timeserver

In the properties of these rules all is default except "State Type" which i have set to "none" to avoid opnsense tracking connection states for stateless protocol UDP.

Are there special settings i need to do to facilitate opnsense tracking large-volume UDP (NTP) traffic better?

February 28, 2025, 05:35:53 AM #3
The FW could answer all the NTP requests, no need to send anything in the LAN.

Going back to the original topic, with the default allow LAN to Any there isn't much that would not work, so you'll have to do a better job explaining what your VPN is trying to do when attempting to connect.

The Firewall - Logs Files - Live View may be helpful to observe the VPN traffic attempts
February 28, 2025, 08:32:35 PM #4
Thanks @newsense
Indeed we need more data. Since I've been struggling to get the firewall live view to provide me the logs i need for troubleshooting, i reverted to trying MTU settings instead.

Initially i was sceptical of suggestions in this messgae: link I decided to try them out and so far the connection problem has gone away.

Was it an MTU problem afterall?
March 03, 2025, 03:58:25 PM #5
Could be. fragmentation of VPN based packets always cause problems. If you have wrongly set MTU or MSS it can cause you problems. Overall when you do VPNs you don't want such encrypted packets to be fragmented.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages1
User actions