I am checking to see if anyone in the community can help before I try tech support. I have noticed recently the clients using Global Protect are have VERY slow performance. My tests at home show that I am getting 100mbps download without the Clobal Connect connected and 1.5 mbps with it connected. I have tested multiple devices from multiple locations, same results. Happens on both Windows and IOS.
I am currently on version 7.1.6 on the PA and 3.1.5 on the GP client.
I have tried setting the MTU to 1400 on the tunnel interface, no change.
I have verified that IPSEC is enabled on the gateway.
Any ideas of what else I can look at? My users are turning it off most of the time because it is so slow and it is defeating the purpose of having it.
There is a lot of different variables that could be causing this and I don't feel like it's going to be intuitive to have a bunch of people guess what could potentially be the issue without a good amount of backstory to how your enviroment actually looks like.
Have you looked at the actual tunnel interface statistics for your GP tunnel and verified that you don't have more traffic than your device can handle, what is your ISP speed at your main office, what traffic are you actually routing through your GP everything or are you utilizing access routes, how many active GP clients can you have at any given moment, is this a new issue that just developed or something ongoing that has never worked right?
Your gateway is configured for IPSec - do your clients report that they're actually using IPSec or are they reporting something else? Look in the GP Client GUI for the answer.
How are you measuring performance? Some apps take a big hit based on latency. Try testing with something like http://beta.speedtest.net.
Anecdotally, using beta.speedtest.net, I see a very small degredation when using GlobalProtect w/ IPSec vs not having it enabled at all. The performance test results are within a few percentage points of each other and the "hit" is negligible to me.
However, if I reconfigure things and force SSL instead, I see a much larger performance drop. (This seems to be common with many SSL-based VPN solutions, though - not just GlobalProtect).
I second @BPry's vote to open a case with TAC. Way too many variables to effectively troubleshoot this via an online forum.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!