Global Protect connections fails after 20-30 seconds

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect connections fails after 20-30 seconds

L0 Member

Hello,

We have an issue with a Global Protect connection failing for some users in couple of seconds after we migrated from PA 3000 to 1410 series FW.  PA 3000  was 10.2.9 and the new FW came with PANOS 11.1.2-h3 version.

For the users with the problem, the connection is established correctly, they get the tunnel IP and can access resources,  but after 20 or 30 seconds, they get disconnected.

In the traffic logs, we see action is allow, but type “deny” and the session end reason “Policy-denied”, we also see the application “Web-browsing” using port 443, these applications are allowed in the policy for all users, once the application is denied the connection is terminated for the users, attached the image from the FW log.

 

RafaelGarcia_0-1727368158358.png

 

The strange part is that it is just for users from certain countries (Belize and India); all users in the USA can connect without any issue, no Geo-blocking policies in place, IPv6 has been already disabled but issue persist.

We have tried upgrading to the latest PANOS preferred version 11.1.4-h1 and Global Protect 6.3.1 suspecting we might be hitting this bug but issue persist:

PAN-242561: 'GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.'

 

In the GPevent logs from the client shows :

09/23/2024 12:34:42:883 [Info ]: Tunnel is down due to socket closed.
09/23/2024 12:34:42:883 [Info ]: Tunnel downtime is 19078 miliseconds

 

In PANGPS we see similar:

 

Set state to Restoring VPN Connection

(P21564-T24392)Info ( 147): 09/23/24 12:28:53:526 VPN: socket was closed
(P21564-T24392)Debug(1508): 09/23/24 12:28:53:526 --RecvFromSocket, socket closed
(P21564-T24392)Info (2193): 09/23/24 12:28:53:526 ProcPackets, RecvFromSocket() failed
(P21564-T24392)Info (2195): 09/23/24 12:28:53:526 VPN socket was closed

 

Any suggestions or advice would be highly appreciated.

 

GlobalProtect 

3 REPLIES 3

L3 Networker

Hello @RafaelGarcia 

Just wanted to check if you've had a chance to look into any potential problems with User-ID. We had a customer who ran into an issue where User-ID was accidentally deleting users from their IP addresses. This caused them to lose their GlobalProtect connection and get assigned to a different security policy.

Have you had a chance to see if anything similar is happening in your environment?

Regards

Jorge Pomachagua
PCNSE, PCNSC.

L1 Bithead

When you say IPv6 was disabled was it disabled on the virtual GP adapter on the machine? I had a customer this was happening to and that work around worked. 
My guess is that you are not seeing it on users in the US is because they are able to connect using ipsec and not ssl. 

IPv6 is disabled on the GP adapter. All users are using SSL. We have tested with IPSec, but we had the same result

  • 873 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!