https://live.paloaltonetworks.com/t5/general-topics/global-protect-connections-fails-after-20-30-seconds/m-p/598875#M119113 <P>Hello,</P> <P>We have an issue with a Global Protect connection failing for some users in couple of seconds after we migrated from PA 3000 to 1410 series FW. &nbsp;PA 3000 &nbsp;was 10.2.9 and the new FW came with PANOS 11.1.2-h3 version.</P> <P>For the users with the problem, the connection is established correctly, they get the tunnel IP and can access resources, &nbsp;but after 20 or 30 seconds, they get disconnected.</P> <P>In the traffic logs, we see action is <STRONG>allow</STRONG>, but type <STRONG>“deny”</STRONG> and the session end reason <STRONG>“Policy-denied”,</STRONG> we also see the application <STRONG>“Web-browsing”</STRONG> using port 443, these applications are allowed in the policy for all users, once the application is denied the connection is terminated for the users, attached the image from the FW log.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RafaelGarcia_0-1727368158358.png" style="width: 1248px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62421i0C8B0BB6C5A478E2/image-dimensions/1248x234/is-moderation-mode/true?v=v2" width="1248" height="234" role="button" title="RafaelGarcia_0-1727368158358.png" alt="RafaelGarcia_0-1727368158358.png" /></span></P> <P>&nbsp;</P> <P>The strange part is that it is just for users from certain countries (Belize and India); all users in the USA can connect without any issue, no Geo-blocking policies in place, IPv6 has been already disabled but issue persist.</P> <P>We have tried upgrading to the latest PANOS preferred version 11.1.4-h1 and Global Protect 6.3.1 suspecting we might be hitting this bug but issue persist:</P> <P>PAN-242561: 'GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.'</P> <P>&nbsp;</P> <P>In the GPevent logs from the client shows :</P> <P><SPAN data-teams="true"><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">09/23/2024 12:34:42:883 [Info ]: Tunnel is down due to socket closed.<BR />09/23/2024 12:34:42:883 [Info ]: Tunnel downtime is 19078 miliseconds</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN data-teams="true">In PANGPS we see similar:</SPAN></P> <P>&nbsp;</P> <P><SPAN data-teams="true"><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Set state to Restoring VPN Connection</SPAN></SPAN></P> <P><SPAN data-teams="true"><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">(P21564-T24392)Info ( 147): 09/23/24 12:28:53:526 VPN: socket was closed<BR />(P21564-T24392)Debug(1508): 09/23/24 12:28:53:526 --RecvFromSocket, socket closed<BR />(P21564-T24392)Info (2193): 09/23/24 12:28:53:526 ProcPackets, RecvFromSocket() failed<BR />(P21564-T24392)Info (2195): 09/23/24 12:28:53:526 VPN socket was closed</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN data-teams="true"><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Any suggestions or advice would be highly appreciated.</SPAN></SPAN></P> <P>&nbsp;</P> <P><LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;</P> Thu, 26 Sep 2024 16:49:32 GMT RafaelGarcia 2024-09-26T16:49:32Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-connections-fails-after-20-30-seconds/m-p/598875#M119113 <P>Hello,</P> <P>We have an issue with a Global Protect connection failing for some users in couple of seconds after we migrated from PA 3000 to 1410 series FW. &nbsp;PA 3000 &nbsp;was 10.2.9 and the new FW came with PANOS 11.1.2-h3 version.</P> <P>For the users with the problem, the connection is established correctly, they get the tunnel IP and can access resources, &nbsp;but after 20 or 30 seconds, they get disconnected.</P> <P>In the traffic logs, we see action is <STRONG>allow</STRONG>, but type <STRONG>“deny”</STRONG> and the session end reason <STRONG>“Policy-denied”,</STRONG> we also see the application <STRONG>“Web-browsing”</STRONG> using port 443, these applications are allowed in the policy for all users, once the application is denied the connection is terminated for the users, attached the image from the FW log.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RafaelGarcia_0-1727368158358.png" style="width: 1248px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62421i0C8B0BB6C5A478E2/image-dimensions/1248x234/is-moderation-mode/true?v=v2" width="1248" height="234" role="button" title="RafaelGarcia_0-1727368158358.png" alt="RafaelGarcia_0-1727368158358.png" /></span></P> <P>&nbsp;</P> <P>The strange part is that it is just for users from certain countries (Belize and India); all users in the USA can connect without any issue, no Geo-blocking policies in place, IPv6 has been already disabled but issue persist.</P> <P>We have tried upgrading to the latest PANOS preferred version 11.1.4-h1 and Global Protect 6.3.1 suspecting we might be hitting this bug but issue persist:</P> <P>PAN-242561: 'GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.'</P> <P>&nbsp;</P> <P>In the GPevent logs from the client shows :</P> <P><SPAN data-teams="true"><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">09/23/2024 12:34:42:883 [Info ]: Tunnel is down due to socket closed.<BR />09/23/2024 12:34:42:883 [Info ]: Tunnel downtime is 19078 miliseconds</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN data-teams="true">In PANGPS we see similar:</SPAN></P> <P>&nbsp;</P> <P><SPAN data-teams="true"><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Set state to Restoring VPN Connection</SPAN></SPAN></P> <P><SPAN data-teams="true"><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">(P21564-T24392)Info ( 147): 09/23/24 12:28:53:526 VPN: socket was closed<BR />(P21564-T24392)Debug(1508): 09/23/24 12:28:53:526 --RecvFromSocket, socket closed<BR />(P21564-T24392)Info (2193): 09/23/24 12:28:53:526 ProcPackets, RecvFromSocket() failed<BR />(P21564-T24392)Info (2195): 09/23/24 12:28:53:526 VPN socket was closed</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN data-teams="true"><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Any suggestions or advice would be highly appreciated.</SPAN></SPAN></P> <P>&nbsp;</P> <P><LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;</P> Thu, 26 Sep 2024 16:49:32 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-connections-fails-after-20-30-seconds/m-p/598875#M119113 RafaelGarcia 2024-09-26T16:49:32Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-connections-fails-after-20-30-seconds/m-p/598893#M119116 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/328215">@RafaelGarcia</a>&nbsp;</P> <P>Just wanted to check if you've had a chance to look into any potential problems with User-ID. We had a customer who ran into an issue where User-ID was accidentally deleting users from their IP addresses. This caused them to lose their GlobalProtect connection and get assigned to a different security policy.</P> <P>Have you had a chance to see if anything similar is happening in your environment?</P> <P>Regards</P> Thu, 26 Sep 2024 18:30:31 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-connections-fails-after-20-30-seconds/m-p/598893#M119116 jpomachagua 2024-09-26T18:30:31Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-connections-fails-after-20-30-seconds/m-p/599329#M119190 <P>When you say IPv6 was disabled was it disabled on the virtual GP adapter on the machine? I had a customer this was happening to and that work around worked.&nbsp;<BR />My guess is that you are not seeing it on users in the US is because they are able to connect using ipsec and not ssl.&nbsp;</P> Wed, 02 Oct 2024 16:27:56 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-connections-fails-after-20-30-seconds/m-p/599329#M119190 JFonner 2024-10-02T16:27:56Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-connections-fails-after-20-30-seconds/m-p/599336#M119194 <P>IPv6 is disabled on the GP adapter. All users are using SSL. We have tested with IPSec, but we had the same result</P> Wed, 02 Oct 2024 17:28:42 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-connections-fails-after-20-30-seconds/m-p/599336#M119194 RafaelGarcia 2024-10-02T17:28:42Z