Active Directory Users & Computers slow over GlobalProtect

Reply
Highlighted
L1 Bithead

Active Directory Users & Computers slow over GlobalProtect

We are experience an issue that I am curious if anyone else has encountered. When any of us IT folk are VPN'd in via GlobalProtect (tested on different internet connections, hardwired and wifi) whenever we open up MSFT Management Console Active Directories Users & Computers, it takes about 5-7 minutes to open.  I can see the traffic in our traffic logs on the Palo, nothing denied, it just takes a long time until it opens and runs painfully slow once opened. 

 

If anyone has encountered this before if you could point me in the right direction that would be great, I will update if I do find anything.

 

Thanks,

Highlighted
L2 Linker

Re: Active Directory Users & Computers slow over GlobalProtect

Hello,

 

We ran into this same issue.  We had to add a special registry key.  Problem is cause by weakhostsend in windows or some cases it was a DNS issue.

 

We had to add the following registry key.

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect

 

Name: command

 

Data: powershell -Command "Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv4 set interface $_.InterfaceIndex weakhostsend=disabled}"

Highlighted
L1 Bithead

Re: Active Directory Users & Computers slow over GlobalProtect

Hmm I don't seem to have a key for post-vpn-connect under settings just "remove-gpa-cp"

Highlighted
L1 Bithead

Re: Active Directory Users & Computers slow over GlobalProtect

Nevermind I figured out how to add this (sorry I'm a network guy my brain is wired differently). Thanks for the input but this did not seem to resolve my issue - back to digging!

Highlighted
L2 Linker

Re: Active Directory Users & Computers slow over GlobalProtect

Any new leads on this? I think we might have hit the same issues (probably related to DNS) and the register change did not help either.

Highlighted
L3 Networker

Re: Active Directory Users & Computers slow over GlobalProtect

we also have had this problem too for ages, somehow seems to have resolved itself. We ended up having to give our Helpdesk VDI systems so they could run Active Directory no problems for supporting the users remotely when oncall since couldn't over VPN. Now that we are all remote these days, glad it resolved itself.

 

we debugged this for days with PAN TAC support, no dice. multiple packet captures, wiresharks, you name it

 

we debugged this with Microsoft support, they said its Palo Alto. We captured packets from the domain controllers and the client and the firewalls..

 

definitely was related to DNS at times and related to how they do their interfaces it seemed. We also were seeing traffic going out the wrong interfaces, thanks to Microsoft and their dual network send out packets, DNS was seen going both ways.

 

Really wish I knew what resolved itself, so I could share.

 

we are updated to v1903 of Windows 10, not sure if that changed anything, also running newer GlobalProtect v5.0.8 now, so those two changes we did since we last really debugged. We were on 4.1.x previously and Win10 v1709.

Highlighted
L2 Linker

Re: Active Directory Users & Computers slow over GlobalProtect

It looks like a carbon copy of our issue and troubleshooting efforts. Thank you for the Windows version tip.

Bug ID GPC-7496 related to this seems to have been fixed in 4.1.11 but probably reintroduced in 5.1.X

 

 

Highlighted
L0 Member

Re: Active Directory Users & Computers slow over GlobalProtect

We had the same issue, with ADUC and a couple other apps we had.  We dug into our DNS, and found we did not have a reverse lookup for the IP scopes of GlobalProtect IPs.  Once we added those and they started to populate, it was better.  It is still not as fast as being in the LAN, but it is usable now.  Takes 1-2 mins for it to come up, and is pretty responsive after that.  Thought I would share!

BTW we are using Win10 with a mix of 1803 and 1903 (that is a long story), with GP 5.0.5

Highlighted
L0 Member

Re: Active Directory Users & Computers slow over GlobalProtect

That worked for me. Thank you

Highlighted
L0 Member

Re: Active Directory Users & Computers slow over GlobalProtect

The registry key addition doesn't seem to make any difference on 5.1.4

Running the command manually when required does work:

Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv4 set interface $_.InterfaceIndex weakhostsend=disabled}

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!