https://live.paloaltonetworks.com/t5/general-topics/global-protect-ipsec-ssl/m-p/208497#M61037 <P>Hi,</P><P>&nbsp;</P><P>I am using a pa-3050 running 7.1.10 and it is pretty consistant that the tests come back with I would say between 10-12 mbps down if on a SSL tunnel. I've done tests on 10, 50, and 100 bandwidth pipes and its always around that range.</P> Mon, 02 Apr 2018 23:32:40 GMT Justin.Abendroth 2018-04-02T23:32:40Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ipsec-ssl/m-p/208484#M61034 <P>Hello,</P><P>&nbsp;</P><P>If global protect fails to establish a IPSec tunnel and uses SSL instead, does it attempt to switch tunnel types if it sees it can do a IPSec tunnel or will it keep it's current tunnel type until the GP client get's refreshed and sees what connection it can establish?&nbsp;</P><P>&nbsp;</P><P>The reason I ask is because Global Protect is extremly slow when it uses SSL as it's tunnel. I can do a speed test on a 100 mbps line using IPSec and get near perfect speeds, but if the tunnel is SSL, my tests hang around 10 mbps down.</P> Mon, 02 Apr 2018 21:43:49 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ipsec-ssl/m-p/208484#M61034 Justin.Abendroth 2018-04-02T21:43:49Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ipsec-ssl/m-p/208496#M61036 <P>What hardware are you using (GP gateway)? Is it 10mbps constantly or more an up and down with peaks at 10mbps?</P> Mon, 02 Apr 2018 23:05:53 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ipsec-ssl/m-p/208496#M61036 Remo 2018-04-02T23:05:53Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ipsec-ssl/m-p/208497#M61037 <P>Hi,</P><P>&nbsp;</P><P>I am using a pa-3050 running 7.1.10 and it is pretty consistant that the tests come back with I would say between 10-12 mbps down if on a SSL tunnel. I've done tests on 10, 50, and 100 bandwidth pipes and its always around that range.</P> Mon, 02 Apr 2018 23:32:40 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ipsec-ssl/m-p/208497#M61037 Justin.Abendroth 2018-04-02T23:32:40Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ipsec-ssl/m-p/208498#M61038 <P>But regarding your question: no, there is no automatic fallback to IPSec. After a network change or a manual network rediscovery where the connection needs to be reestablished, GP will try again first wirh IPsec. And may be even there GP stays with TLS, if you have configured a reconnect time where GP client is allowed to reconnect to an existing session.</P> Mon, 02 Apr 2018 23:34:28 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ipsec-ssl/m-p/208498#M61038 Remo 2018-04-02T23:34:28Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ipsec-ssl/m-p/208499#M61039 <P>It's not very likely, because you tested with different internet access, but it still might be related to MTU mismatch issues. TLS connection don't like fragmentation.&nbsp;</P><P>But there are quite a few other things that are part of the game here:</P><UL><LI>PAN-OS 7.1.10: maybe a bug with the decryption performance?</LI><LI>GP Agent version: versions 4.0.3/4/5 has a bug where fragmented udp packets were dropped - may be related if you use chrome for download tests that was connection to the servers with TLS over UDP</LI><LI>MTU/MSS mismatch issues</LI><LI>Do you use the same firewall also for other things? Like TLS forward proxy or TLS inbound inspection, so the firewall was already busy with other things when you did your test</LI></UL> Mon, 02 Apr 2018 23:45:10 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ipsec-ssl/m-p/208499#M61039 Remo 2018-04-02T23:45:10Z