This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect IPSec/SSL

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect IPSec/SSL

Justin.Abendroth
L2 Linker

‎04-02-2018 02:43 PM

Hello,

 

If global protect fails to establish a IPSec tunnel and uses SSL instead, does it attempt to switch tunnel types if it sees it can do a IPSec tunnel or will it keep it's current tunnel type until the GP client get's refreshed and sees what connection it can establish? 

 

The reason I ask is because Global Protect is extremly slow when it uses SSL as it's tunnel. I can do a speed test on a 100 mbps line using IPSec and get near perfect speeds, but if the tunnel is SSL, my tests hang around 10 mbps down.

0 Likes Likes
4 REPLIES 4

Remo
L7 Applicator

‎04-02-2018 04:05 PM

What hardware are you using (GP gateway)? Is it 10mbps constantly or more an up and down with peaks at 10mbps?

0 Likes Likes

Justin.Abendroth
L2 Linker
In response to Remo

‎04-02-2018 04:32 PM

Hi,

 

I am using a pa-3050 running 7.1.10 and it is pretty consistant that the tests come back with I would say between 10-12 mbps down if on a SSL tunnel. I've done tests on 10, 50, and 100 bandwidth pipes and its always around that range.

0 Likes Likes

Remo
L7 Applicator
In response to Remo

‎04-02-2018 04:34 PM

But regarding your question: no, there is no automatic fallback to IPSec. After a network change or a manual network rediscovery where the connection needs to be reestablished, GP will try again first wirh IPsec. And may be even there GP stays with TLS, if you have configured a reconnect time where GP client is allowed to reconnect to an existing session.

0 Likes Likes

Remo
L7 Applicator
In response to Remo

‎04-02-2018 04:44 PM - edited ‎04-02-2018 04:45 PM

It's not very likely, because you tested with different internet access, but it still might be related to MTU mismatch issues. TLS connection don't like fragmentation. 

But there are quite a few other things that are part of the game here:

  • PAN-OS 7.1.10: maybe a bug with the decryption performance?
  • GP Agent version: versions 4.0.3/4/5 has a bug where fragmented udp packets were dropped - may be related if you use chrome for download tests that was connection to the servers with TLS over UDP
  • MTU/MSS mismatch issues
  • Do you use the same firewall also for other things? Like TLS forward proxy or TLS inbound inspection, so the firewall was already busy with other things when you did your test
0 Likes Likes
  • 3603 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks