Q: After making chance, I can’t run Commit with this error: “Other administrators are holding device wide commit locks”. How can I find out who is holding commit and disable it?
chicagotech.net: On the right top, you should see Commit, Lock icon with number. Click the number, you will see all admins and you can log them off
Q: We have PA850 firewall in the office and our VPN users use GlobalProect to establish the VPN connection. However, once for a while, the VPN users may have this problem: GlobalProect VPN shows Connecting and still working forever. What could be the problem/
chicagotech.net: 1. The VPN may have a session still connecting to the firewall. On the client site, restart the computer may fix the problem. In the server site, re-configure ideal time and disconnect time so that the server logoff the remote session in a short time.
2. Disable any security software for a test.
3. Re-install GlobalProect software.
Q: We are using Palo Alto firewall VPN software GlobalProtect. One of VPN users has a problem to access most LAN resources after establishing the VPN. The problem is his home network uses the same IP range (10.0.0.0/24) and the default gateway is 10.0.0.1.
He doesn’t want to change his home network IP range and gives us this reason: “Comcast recommended that changing it wouldn’t be a good idea”.
My temporary resolution is assigning his computer static IP address at home: 10.0.0.3/252. It works, but with some problems, for example some mapping may not work. I think the problem is both network using the same default Gateway. He asks why he doesn’t have this problem before we use Cisco ASA? Do you have any suggestions?
A:
If he’s using a class C subnet we can make the Palo VPN DHCP pool use a class B, that would make it on different networks.
If we made that change, everyone that is connected on VPN will need to disconnect and reconnect to get the new subnet IP pool.
We can also make the VPN pool something like 192.168.76.X so hopefully, no one else would have that IP address running locally at home
Q: one of our VPN users gets this error: Authentication failed. Enter login credentials when he uses Palo Alto VPN client GloableProtec. What could be the problem?
chicagotech.net: Assuming the password is correct, we assume this is username issue. The username is case sense.
If the user account has been locked, go to Palo firewall to unlocked. Please refer to this page:
How to unlock user in Palo Alto Firewall – How to Network Blog
Situation: the client configures a new laptop with GlobalProect VPN for a home user. When he establish the VPN, he have a problem to access most LAN resources.
Troubleshooting: He is using the same IP range (10.0.0.0/24) as the office (10.0.0.0/16) and both site the default gateway is 10.0.0.1.
Two options: 1. Change his home network to other IP address range, for example, 192.168.1.0/24.
2. Since he doesn’t wan to do do so, we assign his static IP address at home: 10.0.0.3/252 (255.255.255.252 /30 4 IP)
Q: One of our users has this problem. Mitel phone can’t make call to outside and it shows anonymous. She can make internal phone call.
Chicagotech.net: Make sure Mitel Connect is setup for using Desk phone. To do it, click on the username with the Mitel Connect open. Check Desk phone.
Q: we run Malwarebytes on all their computers. We have enabled “Remove and quarantine all threats automatically”
However, The threats are not removed. Why?
Chicagotech.net: After enabling the remove quarantine, you need to restart the malwarebytes service.
Situation: The client configured their Palo Alto firewall connecting to Microsoft Azure site to site VPN. However, it shows “Connecting” forever.
Troubleshooting: It is preshare key problem. We fix it by running these commands:
PS C:\Users\blin> add-azureaccount
Id Type Subscriptions Tenants — —- ————- ——- chicagotech.net@gmail.com User 3d083292-8d49-4ef7-8c72-e54522b52126 {488899b5-4a4a-48b1-a1cf-8a1229d32267}
PS C:\Users\blin> Select-AzureSubscription -SubscriptionId 3d083292-8d49-4ef7-8c72-e54522b52126
PS C:\Users\blin> Get-AzureVNetConfig -ExportToFile “C:\Users\Public\Downloads\networkconfig.xml”
XMLConfiguration —————- …
PS C:\Users\blin> Set-AzureVNetGatewayKey -VNetName ‘Group TestVPN Test’ `
>> -LocalNetworkSiteName ‘498DEBEF_AzuretoOnprem’ -SharedKey asjdfojweioreroihew
Error : HttpStatusCode : OK
Id : b0f50fe7…..
Status : Successful RequestId : ea98d58a3b75a8bf96….
Situation: The company is migrating their Cisco ASA site to site VPN connecting to Azure to PA-850. The consultant copy and configured PA-850 IPSec configuration. However, can’t establish the connection. The log shows no return.
Troubleshooting: We called Microsoft Azure support and compare Azure configuration against PA. There are twio problems.
DH Group: group2 Encryption: aes-256-cbc, 3des Authentication: sha1, sha256.
However, the PA document also says: A new crypto profile can be defined to match the IKE crypto settings of Azure VPN. This is Azre VPN settings:
2. When configuring IPSec Crypto Profile, the Lifeszie is 102,400,000. However, we can’t enter this number on PA. The value for PA is 1-65535. To fix this problem, both Azure and PA VPN need to configure Dynamic Routing instead of Static Routing.
In conclusions: 1. Must read the configuration guide carefully. 2. Copy the configuration from Cisco ASA configuration may not work. 3. PA configuration article could be obsolete.
Q: We just get a new ThinkPad Laptop. When I use push installation to install Symantec Endpoint Protection, I get this message: the client could not be installed on the remote computer. Remote Registry has been enabled. What could be the problem?
Chicagotech.net: We found the problem is McAfee LifeSave is running, you may want to diable it or uninstall it first.