Thomas, I can’t point you to a specific document they have, but I can share my summary ticket with PaloAlto on the matter. Tier one had no idea. It took Tier two to inform me of the differences in their platforms. Ultimately, I created an ingress policy for ipsec-esp application-default. Below is a copy and paste of the summary from PA:
Comment: Hi TIm Here is a brief summary of the session that we had Issue Calling over wifi failing , the traffic works only when there is an explicit rule that allows the return traffic Troubleshooting We saw that the traffic was identified as ipsec-esp We were on a 5220 platform The 5200 series of firewalls has architecture that is similar to 7000 series As discussed we were made aware of an issue with the ipsec traffic handling on the 7000 series firewall, after internal investigation it was noted that this was expected behavior on the platform as the offload processor needs to do initial flow lookup, with IP addresses and SPI in the packet as the key. The offload processor cannot distinguish PANOS terminated ESP/AH sessions vs. pass through. So PANOS has to create sessions with specific SPI values unlike other platforms adn hence the requirement for a policy to allow the return traffic Let me know if you have any further questions or concerns on this ----------------------------------------------------- Tim *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *McClintic, Thomas *Sent:* Wednesday, October 25, 2017 10:11 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Question regarding the support of WiFi Calling and texting Tim, Do you have anything with a link to this information from Palo Alto’s perspective? Ie. which protocols and such. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Tim Tyler *Sent:* Tuesday, October 24, 2017 11:08 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Question regarding the support of WiFi Calling and texting Vikki, What are you using for a firewall? We had to open up a couple ingress protocols after we upgraded our PA firewall. These protocols need to talk to servers on the Internet. PA’s latest models will block the handshaking unless ingress is open. We found this to be predominately true for Apple phones, but seldom for Androids. It also depending on the service. We have no complaints now. Tim *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Vikki Cutrone *Sent:* Tuesday, October 24, 2017 10:40 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Question regarding the support of WiFi Calling and texting We are running Eduroam as our SSID, my Android phone can use eduroam to make WiFi calls or Texts, some users on campus, primary Apple devices cannot. I was wondering if campuses are maintaining a best effort posture/policy regarding BYOD's ? Thanks On Tue, Oct 24, 2017 at 11:33 AM, Yahya M. Jaber <yahya.ja...@kaust.edu.sa> wrote: Can you give us an example on the issues reported?, so I can understand your issue more. Yahya Jaber. CCIE Wireless. 055-869-7555 ITNC Engineering. KAUST. Sent from an Android On Oct 24, 2017 17:25, Vikki Cutrone <vicutr...@vassar.edu> wrote: I am the Network Administrator at Vassar College and I was wondering what position institutions were taking regarding support and troubleshooting of clients trying to use the wireless for wifi calling and wifi texting? I am getting a large amount of requests for this service but with the multitude of cell phones, operating systems and cell providers it is impossible to keep up. Any input about your institution's policy or thoughts on a potential policy would be greatly appreciated. Thank you in advance! -- Vikki Cutrone Network Administrator Vassar College, Box 13 124 Raymond Ave <https://urldefense.proofpoint.com/v2/url?u=https-3A__maps.google.com_-3Fq-3D124-2BRaymond-2BAve-250D-2BPoughkeepsie-2C-2BNY-2B12604-26entry-3Dgmail-26source-3Dg&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=DgYQwyycgrZ77ZFlzelZE00z6cRj5AThKQQp6jyQ0JI&e=> Poughkeepsie, NY 12604 <https://urldefense.proofpoint.com/v2/url?u=https-3A__maps.google.com_-3Fq-3D124-2BRaymond-2BAve-250D-2BPoughkeepsie-2C-2BNY-2B12604-26entry-3Dgmail-26source-3Dg&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=DgYQwyycgrZ77ZFlzelZE00z6cRj5AThKQQp6jyQ0JI&e=> -0013 845-437-7231 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE&e=>. ------------------------------ This message and its contents including attachments are intended solely for the original recipient. If you are not the intended recipient or have received this message in error, please notify me immediately and delete this message from your computer system. Any unauthorized use or distribution is prohibited. Please consider the environment before printing this email. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE&e=>. -- Vikki Cutrone Network Administrator Vassar College, Box 13 124 Raymond Ave Poughkeepsie, NY 12604-0013 845-437-7231 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE&e=>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE&e=>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
