Active Directory Users & Computers slow over GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Active Directory Users & Computers slow over GlobalProtect

L1 Bithead

We are experience an issue that I am curious if anyone else has encountered. When any of us IT folk are VPN'd in via GlobalProtect (tested on different internet connections, hardwired and wifi) whenever we open up MSFT Management Console Active Directories Users & Computers, it takes about 5-7 minutes to open.  I can see the traffic in our traffic logs on the Palo, nothing denied, it just takes a long time until it opens and runs painfully slow once opened. 

 

If anyone has encountered this before if you could point me in the right direction that would be great, I will update if I do find anything.

 

Thanks,

29 REPLIES 29

Hi @scott.chaput ,

 

By IP scopes of Globalprotect IPs you mean the fqdn address of portal/gateway?

 

Thank you!

L4 Transporter

Please collect a wireshark capture on the globalprotect host, while opening the MMC and have a look at everything DNS related.

Win-10 will try to prefer IPv6 over IPv4, so if the router in your home office is IPv6 ready, your client got a IPv6 address and will primary perform communication and DNS over this link, bypassing the VPN.

If the DNS queries look unsuspicious, look at "llmnr" - this is also a IPv6 default mechanism with Win-10 to do name resolution.

 

Please share your findings here

Best Regards
Chacko

L0 Member

We found that 5.0.9 worked better (under a min), when we tried 5.1.4, 5.1.5 or 5.2.0, they all introduced the extra long delay for the RAST tools (up to 10min, sometimes longer).

 

We have tried to prioritise IPv4 over IPv6 using this command: 

REG.EXE ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents /t REG_DWORD /d 0x20 /f

 

However this did not help, we then tried the weakhostsend suggestion using this command:

REG.EXE ADD HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings /v post-vpn-connect /t STRING /d "powershell -Command 'Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv4 set interface $_.InterfaceIndex weakhostsend=disabled}'" /f

 

And this had little impact, down to around 5min from 10min but still not in seconds.

 

We have an open ticket and have submitted PCAP files so lets see what comes of it.

Running the following command instantly resolved the issue for 5.2.0 on build 1903:

Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv4 set interface $_.InterfaceIndex weakhostsend=disabled}

I've added the reg key but I have not tested it yet.

 

Looks like there maybe a more permanent solution specifically from this KB article:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UNoCAM

I'm not sure how this will impact mixed client environments though.

Tried that command on 2004 Windows 10 build with no improvement, if anything it made it worse!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!