Slow speed via Global Protect.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Slow speed via Global Protect.

L3 Networker

I have VM300 with GP without split tunnel. Between with and without GP their is a lose of around 6mb.

Is it acceptable to have 6mb of overhead lose? Will enabling/disabling ipsec in ssl vpn setting make any difference.

6 REPLIES 6

L7 Applicator

Was it always this way? 

Do you have threat profiles enabled for that traffic?

Is this affecting every client? 

 

There are many things that could cause issues..  but we will need to narrow down what the issue may be.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

No security profiles.

Not affecting every customer.

My question is what sort of overhead can be seen in GP

 

Hello

 

If you have split tunnel disabled (makes sense), then the public IP of the firewall needs to hairpin the communication from GP agent to destination IP on Internet.   This could be a legitimate reason for why you will have some degradation, due to increased CPU utilization in hairpin.

 

I believe this is acceptable, as there is no way to NOT have some degradation.

As you mentioned, it does not affect every customer, so there are too many variables to indeed, determine that it is the GP config causing it.

You could always enable QoS to help prioritize traffic.

 

Keep working out the variables and let us know.  I

Help the community: Like helpful comments and mark solutions

User has performance issue when access a file in trust zone of the firewall over GP,ipsec tunnel.

I read on net SMB traffic over vpn is not very good.There are lot of tcp retransmissions.

Ok, still confused.

 

With split tunneling enabled (which is an irrelevant point) the user is still using the routing table (pushed by the GP config) to access the file in the trust zone.

 

With split tunneling disabled (which forces all traffic to the FW), the user is still using the same routing table to access the file in the trust zone.

 

I guess I do not see how split tunnel (on or off) would affect accessing the trust zone, UNLESS, there is a lot of non-productive traffic being pushed through the FW during the disabled split tunnel config)

 

Is the virtual pool of address in the GP config a non-overlapping/unique subnet, that is not on the trusted network?

 

What other info can you share?

 

Why does this not affect all customers, if you think it is a GP agent/configuration issue.

 

I presume you are doing a wireshark trace to see the re-transmissions.  May be related, or may not be related.

 

If they try to NOT access using SMB, but go to a web server inside their network, does it work fine?

Is there a FTP server or similar that the user can try to upload/download files using a different application.

Any QoS enabled on the FWs?

 

Keep working and troubleshooting the issue.  

Help the community: Like helpful comments and mark solutions

Just wanted to let everyone know that if they are having any GlobalProtect issues, and need to troubleshoot the issue, our Very own @kiwi has written a great blog all about troubleshooting GlobalProtect.

Be sure to check it out here: 
https://live.paloaltonetworks.com/t5/blogs/dotw-globalprotect-troubleshooting-tips/ba-p/383911

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
  • 9678 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!