https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-failing-after-upgrading-panos-to-11-1-4/m-p/592349#M5578 <P>Dear all,</P> <P>&nbsp;</P> <P>I have a very strange issue after I upgraded to 11.1.4</P> <P>The mobile GlobalProtect client stopped working.</P> <P>&nbsp;</P> <P>The network connection is unreachable or the portal is unresponsive.</P> <P>&nbsp;</P> <P>I ran some packet captures and noticed that the firewall sees the SYN packets, but it never replies.</P> <P>Nothing in the transmit stage pcap</P> <P>&nbsp;</P> <P>Although I can see the connection attempts in the traffic logs.</P> <P>They are aged out</P> <P>&nbsp;</P> <P><SPAN>out of curiosity I changed the settings for the sessions by entering:</SPAN><BR /><BR /><SPAN>set session tcp-reject-non-syn no</SPAN><BR /><BR /><BR /><SPAN>With this settings I can see also the SYN/ACK packets from the firewall back to the mobile device.</SPAN><BR /><BR /><SPAN>But it looks like these two streams are not recognized as being part of the same session?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Any idea how to further debug this issue?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards</SPAN></P> <P><SPAN>&nbsp; &nbsp;Andreas</SPAN></P> Wed, 17 Jul 2024 22:27:05 GMT idelconsulting 2024-07-17T22:27:05Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-failing-after-upgrading-panos-to-11-1-4/m-p/592349#M5578 <P>Dear all,</P> <P>&nbsp;</P> <P>I have a very strange issue after I upgraded to 11.1.4</P> <P>The mobile GlobalProtect client stopped working.</P> <P>&nbsp;</P> <P>The network connection is unreachable or the portal is unresponsive.</P> <P>&nbsp;</P> <P>I ran some packet captures and noticed that the firewall sees the SYN packets, but it never replies.</P> <P>Nothing in the transmit stage pcap</P> <P>&nbsp;</P> <P>Although I can see the connection attempts in the traffic logs.</P> <P>They are aged out</P> <P>&nbsp;</P> <P><SPAN>out of curiosity I changed the settings for the sessions by entering:</SPAN><BR /><BR /><SPAN>set session tcp-reject-non-syn no</SPAN><BR /><BR /><BR /><SPAN>With this settings I can see also the SYN/ACK packets from the firewall back to the mobile device.</SPAN><BR /><BR /><SPAN>But it looks like these two streams are not recognized as being part of the same session?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Any idea how to further debug this issue?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards</SPAN></P> <P><SPAN>&nbsp; &nbsp;Andreas</SPAN></P> Wed, 17 Jul 2024 22:27:05 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-failing-after-upgrading-panos-to-11-1-4/m-p/592349#M5578 idelconsulting 2024-07-17T22:27:05Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-failing-after-upgrading-panos-to-11-1-4/m-p/592526#M5580 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18002">@idelconsulting</a> ,</P> <P>&nbsp;</P> <P>I'd start by grabbing and checking the GP debug logs.</P> <P>These generally give a pretty good indication why the portal isn't responding.</P> <P>&nbsp;</P> <P>Are you able to just browse to the portal ?</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>-Kim.</P> Fri, 19 Jul 2024 06:19:11 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-failing-after-upgrading-panos-to-11-1-4/m-p/592526#M5580 kiwi 2024-07-19T06:19:11Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-failing-after-upgrading-panos-to-11-1-4/m-p/592592#M5584 <P>Long story short:</P> <P>It works again</P> <P>&nbsp;</P> <P>TL;DR</P> <P>the fact that I saw SYN packets received by the server without a reply and SYN/ACK sent by the server without being seen by the client made me thing about some strange case of asymmetric routing.</P> <P>&nbsp;</P> <P>I have two ISPs, one primary and a secondary.</P> <P>Primary ISP has a metric of 10, secondary 200 for the default route out via the respective interfaces.</P> <P>&nbsp;</P> <P>When I checked services like whatsmyip I saw the IP of the primary ISP, which is also the one GlobalProtect is listening on.</P> <P>But, when checking the virtual router runtime stats and looking at the forwarding table, it showed the route via the secondary ISP as being active.</P> <P>&nbsp;</P> <P>No idea how in such a case I saw the IP from the primary ISP on whatsmyip</P> <P>&nbsp;</P> <P>Anyway, after deleting and re-adding the secondary ISP interface everything started working again.</P> <P>I now see in the runtime forwarding table that the primary ISP is used.</P> <P>&nbsp;</P> <P>How did this happen after the upgrade and why the internal routing was screwed up?</P> <P>I have no idea.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp; &nbsp;Andreas</P> Sat, 20 Jul 2024 15:40:36 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-failing-after-upgrading-panos-to-11-1-4/m-p/592592#M5584 idelconsulting 2024-07-20T15:40:36Z