Active Directory Users & Computers slow over GlobalProtect

ShippG · ‎12-02-2019

We are experience an issue that I am curious if anyone else has encountered. When any of us IT folk are VPN'd in via GlobalProtect (tested on different internet connections, hardwired and wifi) whenever we open up MSFT Management Console Active Directories Users & Computers, it takes about 5-7 minutes to open. I can see the traffic in our traffic logs on the Palo, nothing denied, it just takes a long time until it opens and runs painfully slow once opened.

If anyone has encountered this before if you could point me in the right direction that would be great, I will update if I do find anything.

Thanks,

googol · ‎03-25-2020

we also have had this problem too for ages, somehow seems to have resolved itself. We ended up having to give our Helpdesk VDI systems so they could run Active Directory no problems for supporting the users remotely when oncall since couldn't over VPN. Now that we are all remote these days, glad it resolved itself.

we debugged this for days with PAN TAC support, no dice. multiple packet captures, wiresharks, you name it

we debugged this with Microsoft support, they said its Palo Alto. We captured packets from the domain controllers and the client and the firewalls..

definitely was related to DNS at times and related to how they do their interfaces it seemed. We also were seeing traffic going out the wrong interfaces, thanks to Microsoft and their dual network send out packets, DNS was seen going both ways.

Really wish I knew what resolved itself, so I could share.

we are updated to v1903 of Windows 10, not sure if that changed anything, also running newer GlobalProtect v5.0.8 now, so those two changes we did since we last really debugged. We were on 4.1.x previously and Win10 v1709.

cezarb · ‎03-25-2020

It looks like a carbon copy of our issue and troubleshooting efforts. Thank you for the Windows version tip.

Bug ID GPC-7496 related to this seems to have been fixed in 4.1.11 but probably reintroduced in 5.1.X

scott.chaput · ‎04-22-2020

We had the same issue, with ADUC and a couple other apps we had. We dug into our DNS, and found we did not have a reverse lookup for the IP scopes of GlobalProtect IPs. Once we added those and they started to populate, it was better. It is still not as fast as being in the LAN, but it is usable now. Takes 1-2 mins for it to come up, and is pretty responsive after that. Thought I would share!

BTW we are using Win10 with a mix of 1803 and 1903 (that is a long story), with GP 5.0.5

USPLATINUM · ‎07-02-2020

That worked for me. Thank you

AdrianWallis · ‎07-07-2020

The registry key addition doesn't seem to make any difference on 5.1.4

Running the command manually when required does work:

Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv4 set interface $_.InterfaceIndex weakhostsend=disabled}

Active Directory Users & Computers slow over GlobalProtect

Active Directory Users & Computers slow over GlobalProtect

Show your appreciation!