Active Directory Users & Computers slow over GlobalProtect

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

Hi @scott.chaput ,

 

By IP scopes of Globalprotect IPs you mean the fqdn address of portal/gateway?

 

Thank you!

Highlighted
L4 Transporter

Please collect a wireshark capture on the globalprotect host, while opening the MMC and have a look at everything DNS related.

Win-10 will try to prefer IPv6 over IPv4, so if the router in your home office is IPv6 ready, your client got a IPv6 address and will primary perform communication and DNS over this link, bypassing the VPN.

If the DNS queries look unsuspicious, look at "llmnr" - this is also a IPv6 default mechanism with Win-10 to do name resolution.

 

Please share your findings here

Best Regards
Chacko
Highlighted
L0 Member

We found that 5.0.9 worked better (under a min), when we tried 5.1.4, 5.1.5 or 5.2.0, they all introduced the extra long delay for the RAST tools (up to 10min, sometimes longer).

 

We have tried to prioritise IPv4 over IPv6 using this command: 

REG.EXE ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents /t REG_DWORD /d 0x20 /f

 

However this did not help, we then tried the weakhostsend suggestion using this command:

REG.EXE ADD HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings /v post-vpn-connect /t STRING /d "powershell -Command 'Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv4 set interface $_.InterfaceIndex weakhostsend=disabled}'" /f

 

And this had little impact, down to around 5min from 10min but still not in seconds.

 

We have an open ticket and have submitted PCAP files so lets see what comes of it.

Tags (1)
Highlighted
L0 Member

Running the following command instantly resolved the issue for 5.2.0 on build 1903:

Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv4 set interface $_.InterfaceIndex weakhostsend=disabled}

I've added the reg key but I have not tested it yet.

 

Looks like there maybe a more permanent solution specifically from this KB article:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UNoCAM

I'm not sure how this will impact mixed client environments though.

Highlighted
L0 Member

Tried that command on 2004 Windows 10 build with no improvement, if anything it made it worse!

Tags (1)
Highlighted
L0 Member

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UNoCAM

This is happening to users here since moving from 4.1.11 to 5.1.5

Has anyone had any luck fixing this by updating SRV or other DNS records?

I don't want to run a script to fix something that sounds like it may be resolvable by an infrastructure change.

Highlighted
L3 Networker

We had this issue with several users and the workaround suggested on the article sorted the issue out.

 

Adding a dummy domain on the split tunnel tab worked. Note: without "no direct access to local netwok" othersie this will nullify the fix of using the domain in split tunnel.

From the admin-guide:

"Disable the No direct access to local network option (Split TunnelAccess Route). If enabled, this setting disables split tunneling on Windows, Linux, and macOS networks."

 

The 2nd workaround is to disable weakhost mode from the powershell with commands:

Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv4 set interface $_.InterfaceIndex weakhostsend=disabled}
Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv6 set interface $_.InterfaceIndex weakhostsend=disabled}

 

Both workarounds worked fine for all the users.

 

Does anyone know if this design is intended to be changed in future GP releases?

I guess this is a something for a feature request. Did someone requested one for this matter?

 

Thank you!

Highlighted
L0 Member

We were running GlobalProtect 5.0.x for a while and just recently upgraded the clients to 5.2.2.  And thats when this issue popped up for us.  A workaround that I found is to launch ADUC from the command line with the /server switch, "dsa.msc /server=<ip of the dc>".  When I specified the ip of the dc, ADUC was very responsive.

Highlighted
L3 Networker

Hi @DougVanAllen ,

 

actually for us it was the other way around, upgrading to 5.2.2 fixed the issue with ADUC.

 

 

Highlighted
L0 Member

What do you mean "add a dummy domain to split tunnel" Do you add a fake domain to the include or exclude? I tried adding the real domain to include, but nothing has improved. 

 

Thanks

Brandon

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!