Hello,
We have an issue with a Global Protect connection failing for some users in couple of seconds after we migrated from PA 3000 to 1410 series FW. PA 3000 was 10.2.9 and the new FW came with PANOS 11.1.2-h3 version.
For the users with the problem, the connection is established correctly, they get the tunnel IP and can access resources, but after 20 or 30 seconds, they get disconnected.
In the traffic logs, we see action is allow, but type “deny” and the session end reason “Policy-denied”, we also see the application “Web-browsing” using port 443, these applications are allowed in the policy for all users, once the application is denied the connection is terminated for the users, attached the image from the FW log.
The strange part is that it is just for users from certain countries (Belize and India); all users in the USA can connect without any issue, no Geo-blocking policies in place, IPv6 has been already disabled but issue persist.
We have tried upgrading to the latest PANOS preferred version 11.1.4-h1 and Global Protect 6.3.1 suspecting we might be hitting this bug but issue persist:
PAN-242561: 'GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.'
In the GPevent logs from the client shows :
09/23/2024 12:34:42:883 [Info ]: Tunnel is down due to socket closed.
09/23/2024 12:34:42:883 [Info ]: Tunnel downtime is 19078 miliseconds
In PANGPS we see similar:
Set state to Restoring VPN Connection
(P21564-T24392)Info ( 147): 09/23/24 12:28:53:526 VPN: socket was closed
(P21564-T24392)Debug(1508): 09/23/24 12:28:53:526 --RecvFromSocket, socket closed
(P21564-T24392)Info (2193): 09/23/24 12:28:53:526 ProcPackets, RecvFromSocket() failed
(P21564-T24392)Info (2195): 09/23/24 12:28:53:526 VPN socket was closed
Any suggestions or advice would be highly appreciated.
