topic PAN2050 data stops when global protect client downloaded in General Topics

PAN2050 data stops when global protect client downloaded

LCMember2900 — Fri, 16 Jan 2015 15:31:21 GMT

Has anyone seen this issue? We have had this issue for months with no relief and am at my wits end. Forgive me if my frustration comes through......

what happens is this:

A remote user will login to VPN web page and click the link to download the GP client then..... *poof*! All traffic in every direction stops. ALL the PAN layer 3 interfaces stop pinging. everything except management plane. It stays like this for about 5 minutes then *poof*! everything is back. NO errors, NOTHING. The users download has failed but i cant deal with that because my phone is ringing like crazy.

I know what your thinking, its you, not PAN. Well, keep in mind we run these checks against the PAN appliance from every direction(dmz,internal,etc). And from each direction we show PAN’s layer 3 interfaces all going dark(no pings) at the same. Crazy right? Im saying this is not just “TRUST” side but also from the “DMZ” side AND External side. all angles, different networks, switches, everything. its as if PAN appliance disappears from network. EXCEPT management plane. which shows no errors. zero traffic, but no errors. HA! Oh btw, the directly connected switches are not related and have redundant power.

we even received a new RMA PA-2050 appliance and updated all PANOS software to the latest versions., we Imported our configuration snapshot and moved cables over to appliance around 4pm yesterday….by 9:15 pm the appliance demonstrated the exact same behavior. That is, All traffic in all direction stopped for about 5 minutes when someone initiated a download of the VPN client software.

before you ask(Forgive me if my frustration comes through......):

yes, The current version is installed. This problem has been with us for a LONG time so this issue has existed in every version of 6.x.x. at least.

yes, i have factory reset the appliance and reloaded config.

no, it does not happen every-time the client is downloaded, just sometimes.

no, the PAN is not being utilized at or near its stated throughput (in fact this will happen late at night too when nearly no load is on the appliance)

yes, i have a case open with pan support. for months in fact.

NO, I did not check my switch on the ________ zone/side for setting _______. Listen, i have different model switches (from different manf) on each zone. they are not connected, and I have redundant power supplies, if you think there is a chance my 3 separate unrelated switches all failed in same way at same time then.... well, just think about it.

Re: PAN2050 data stops when global protect client downloaded

kattaullah — Fri, 16 Jan 2015 16:53:21 GMT

Hello Paul

I have a few questions

What is the software version. Type the command > show system info and paste the output
When the GP download is initiated, did you do a packet capture with source and destination filter set? If yes, could you please paste a screen shot of the packet capture.

Below are the steps to do a packet capture

Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:

Navigate to Monitor--Packet Capture

Click 'Manage Filters'

Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )

Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)

2. Setup up the captures

Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)

3. Enable filters and captures

debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture on

4. open 2 CLI windows

on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)

show counter global filter packet-filter yes delta yes

on the 2nd window run the following command to look at he sessions

show session all filter source <ip address> destination <ip address>

5. Now download the client while it is failing to look at the counters and captures and sessions to determine what is causing the issue.

6. Once you have finished testing and capturing. Make sure to turn off the debugs.

I have seen Global protect client download freeze issues in the virtual firewalls and one Shot in the dark is to bypass tcp asymmetric path. For testing purpose please run the following command and try a test to download the global protect client from the portal.

admin# set deviceconfig setting tcp asymmetric-path bypass

Note: Please mark any helpful or Correct answers!

Regards

Khan

Re: PAN2050 data stops when global protect client downloaded

ukhapre — Sat, 24 Jan 2015 01:17:48 GMT

Are you using default page or custom page for GP?

What exact software version is being used?

Did you import config on same revision of RMA unit?

Does the problem exist in older rev too?

I know too many questions but it can give some hints.