Global Protect on Mac's

cmaulding · ‎05-11-2021

So we have the agent deployed out to our widows and Macs in our environment. We have followed the Best practice guides for bypassing the VPN traffic with Netskope but we are still having issues connecting to the VPN on the Mac's. Anyone else run into this issue?

mkoyfman · ‎05-11-2021

@cmaulding the bug in Big Sur GP client is not address until 5.2.5. I have verified that on 5.2.5-66 things are running just fine.

View solution in original post

bob · ‎05-11-2021

@cmaulding To confirm, when you have the Netskope Client enabled, your VPN will not connect to its intended destination? Can you share what type of VPN and also, are you using the Client for Netskope Private Access or CASB/SWG or both?

cmaulding · ‎05-11-2021

Hey Bob that is correct. We are using the PaloAlto Global protect, and we are using it for SWG/CASB and NPA. Currently. We have the agent on Windows Machine with the global Protect VPN and those were just fine. It is only the Mac's that do not work.

bob · ‎05-11-2021

Hi @cmaulding are you running on Catalina? If so there is a PAN bug with Catalina and GlobalProtect, where split-tunneled domains/IPs are not functioning when running GlobalProtect 5.1 or 5.2.

You can read more on PAN's website: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBqECAW&lang=en_US%E2%80%A...

cmaulding · ‎05-11-2021

Hey @bob

We are actually running on macOS 11.3.1 BigSur and having the same issue.

mkoyfman · ‎05-11-2021

@cmaulding feel free to send me a private message here and we can take a look at this together. Can you also please confirm the version of GP client you're running?

cmaulding · ‎05-11-2021

@mkoyfman we are running GP 5.2.3-22 and I sent you an email per the private message. I appreciate your help.

mkoyfman · ‎05-11-2021

@cmaulding the bug in Big Sur GP client is not address until 5.2.5. I have verified that on 5.2.5-66 things are running just fine.

cmaulding · ‎05-11-2021

@mkoyfman I have upgraded to the latest client version 5.2.6-87. Now I am able to get the VPN to connect but as soon as it does the Netskope agent goes Red. Disconnect the VPN and it comes back online. Would this have to do with the bypass configuration that I mentioned before?

ddrake · ‎05-19-2021

I have this same exact issue on Windows machines. The guidance for adding split tunneling via IP addresses have been done as well.

On Windows, we are experiencing the same exact issue where when we connect to VPN, the Netskope agent goes red and then a disconnect/reconnect fixes the issue for a period of time. It's very intermittent. I have a ticket opened with Netskope Support but no clear fix.
GP Version: 5.2.6

mkoyfman · ‎05-19-2021

@ddrake DM me the case number and I will take a look into what's going on there.

jeremywc · ‎05-19-2021

We had this exact same issue. I had to add the addresses of our GlobalProtect gateways into a Network Location group. I then added that group as an exception in our Steering Configuration. After that, everything was stable.

mkoyfman · ‎05-19-2021

thanks for sharing, @jeremywc . @ddrake did you also read and follow this article? https://support.netskope.com/hc/en-us/articles/360023155053-Best-Practice-for-coexistence-of-Netskop...

This is what @jeremywc is talking about

mkoyfman · ‎05-12-2021

Also confirmed that 5.2.6.-87 works fine.

ddrake · ‎06-11-2021

Sorry @mkoyfman - I apparently don't get notifications on comments I make. I'll DM you the ticket number.

CommunityChris · ‎08-10-2021

Hey there @ddrake! Normally you would receive notifications on comments if you were the original conversation author, but in this case, if you are interested in a conversation you can subscribe to the RSS Feed to receive email updates on further comments.

Check out our resource on Subscribing to Community Boards & Labels, if you ever have any questions or need help please reach out to me directly!

Happy posting! 🖖

Chris Shernaman
Online Community Manager