https://live.paloaltonetworks.com/t5/globalprotect-discussions/situation-with-pa-5250s-and-global-protect-connections/m-p/1235717#M6966 <P>Specific situation we're dealing with, looking to see if anybody else has and has any input.&nbsp;<BR />Over the past few years we have worked a Global Protect build and deployment in our org. We opted to use PA-5250s solely on the basis that they documentation claims that model supports 30k GlobalProtect connections (IPsec AND SSL specifically).<BR /><BR />In our configuration we prefer ipsec, but have SSL Fallback enabled to the smallest possible configurable interval (1 hour). In production today we have about 10,000 users on one GP GW. about 9,200 are ipsec and about 200 are on SSL. We have a use-case for users who may be connecting from customer networks or home networks where ipsec is disabled.<BR /><BR />Well, turns out the documentation regarding the specs is inaccurate specifically due to some sort of inefficiency in the PA-5250 architecture in which SSL sessions use CONSIDERABLY more resources than expected. We've had situations where single SSL sessions can use upwards of 20% of the entire packet buffers. We're seeing packet buffers and related protections constantly triggering, and DPU is solidly at about 75% during normal production, sometims spiking in the 90s. Confirmed this issue with Palo TAC.<BR /><BR />Palo's only real recommendation so far has been to<BR />1. upgrade the hardware to a newer and beefier x86 architecture<BR />2. separate IPsec and SSL Gateways into separate hardware to spread the load out better<BR /><BR />Curious if anyone has dealt with this situation before?</P> Fri, 08 Aug 2025 12:56:36 GMT NeonNetSec 2025-08-08T12:56:36Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/situation-with-pa-5250s-and-global-protect-connections/m-p/1235717#M6966 <P>Specific situation we're dealing with, looking to see if anybody else has and has any input.&nbsp;<BR />Over the past few years we have worked a Global Protect build and deployment in our org. We opted to use PA-5250s solely on the basis that they documentation claims that model supports 30k GlobalProtect connections (IPsec AND SSL specifically).<BR /><BR />In our configuration we prefer ipsec, but have SSL Fallback enabled to the smallest possible configurable interval (1 hour). In production today we have about 10,000 users on one GP GW. about 9,200 are ipsec and about 200 are on SSL. We have a use-case for users who may be connecting from customer networks or home networks where ipsec is disabled.<BR /><BR />Well, turns out the documentation regarding the specs is inaccurate specifically due to some sort of inefficiency in the PA-5250 architecture in which SSL sessions use CONSIDERABLY more resources than expected. We've had situations where single SSL sessions can use upwards of 20% of the entire packet buffers. We're seeing packet buffers and related protections constantly triggering, and DPU is solidly at about 75% during normal production, sometims spiking in the 90s. Confirmed this issue with Palo TAC.<BR /><BR />Palo's only real recommendation so far has been to<BR />1. upgrade the hardware to a newer and beefier x86 architecture<BR />2. separate IPsec and SSL Gateways into separate hardware to spread the load out better<BR /><BR />Curious if anyone has dealt with this situation before?</P> Fri, 08 Aug 2025 12:56:36 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/situation-with-pa-5250s-and-global-protect-connections/m-p/1235717#M6966 NeonNetSec 2025-08-08T12:56:36Z