Global Protect IPSec/SSL

Reply
L1 Bithead

Global Protect IPSec/SSL

Hello,

 

If global protect fails to establish a IPSec tunnel and uses SSL instead, does it attempt to switch tunnel types if it sees it can do a IPSec tunnel or will it keep it's current tunnel type until the GP client get's refreshed and sees what connection it can establish? 

 

The reason I ask is because Global Protect is extremly slow when it uses SSL as it's tunnel. I can do a speed test on a 100 mbps line using IPSec and get near perfect speeds, but if the tunnel is SSL, my tests hang around 10 mbps down.

L7 Applicator

Re: Global Protect IPSec/SSL

What hardware are you using (GP gateway)? Is it 10mbps constantly or more an up and down with peaks at 10mbps?

L1 Bithead

Re: Global Protect IPSec/SSL

Hi,

 

I am using a pa-3050 running 7.1.10 and it is pretty consistant that the tests come back with I would say between 10-12 mbps down if on a SSL tunnel. I've done tests on 10, 50, and 100 bandwidth pipes and its always around that range.

L7 Applicator

Re: Global Protect IPSec/SSL

But regarding your question: no, there is no automatic fallback to IPSec. After a network change or a manual network rediscovery where the connection needs to be reestablished, GP will try again first wirh IPsec. And may be even there GP stays with TLS, if you have configured a reconnect time where GP client is allowed to reconnect to an existing session.

L7 Applicator

Re: Global Protect IPSec/SSL

It's not very likely, because you tested with different internet access, but it still might be related to MTU mismatch issues. TLS connection don't like fragmentation. 

But there are quite a few other things that are part of the game here:

  • PAN-OS 7.1.10: maybe a bug with the decryption performance?
  • GP Agent version: versions 4.0.3/4/5 has a bug where fragmented udp packets were dropped - may be related if you use chrome for download tests that was connection to the servers with TLS over UDP
  • MTU/MSS mismatch issues
  • Do you use the same firewall also for other things? Like TLS forward proxy or TLS inbound inspection, so the firewall was already busy with other things when you did your test
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!