If global protect fails to establish a IPSec tunnel and uses SSL instead, does it attempt to switch tunnel types if it sees it can do a IPSec tunnel or will it keep it's current tunnel type until the GP client get's refreshed and sees what connection it can establish?
The reason I ask is because Global Protect is extremly slow when it uses SSL as it's tunnel. I can do a speed test on a 100 mbps line using IPSec and get near perfect speeds, but if the tunnel is SSL, my tests hang around 10 mbps down.
I am using a pa-3050 running 7.1.10 and it is pretty consistant that the tests come back with I would say between 10-12 mbps down if on a SSL tunnel. I've done tests on 10, 50, and 100 bandwidth pipes and its always around that range.
But regarding your question: no, there is no automatic fallback to IPSec. After a network change or a manual network rediscovery where the connection needs to be reestablished, GP will try again first wirh IPsec. And may be even there GP stays with TLS, if you have configured a reconnect time where GP client is allowed to reconnect to an existing session.
It's not very likely, because you tested with different internet access, but it still might be related to MTU mismatch issues. TLS connection don't like fragmentation.
But there are quite a few other things that are part of the game here:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!