This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect 3.0.1-10 on Windows 7 gradually consumes all the memory

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect 3.0.1-10 on Windows 7 gradually consumes all the memory

Go to solution
yaobin
L1 Bithead

‎01-13-2017 02:07 PM

Hi,

 

I'm using GlobalProtect 3.0.1-10 as the VPN client on Windows 7, and this Win7 system is running inside the VirtualBox on my Ubuntu 14.04.

 

I have observed several times that after I connect the VPN and keep it running for several days, the system memory will be consumed by GlobalProtect completely, which can be seen from the Task Manager "Performance" tab. I also noticed, when this happened, a large number of background processes called "32bitProxy.exe" in the Task Manager "Processes" tab.

 

I'm not sure if I have to connect the VPN in order to reproduce this issue, but this happens every time after I connect the VPN.

 

Does anyone have any ideas why this happened?

 

I found this post: PAN-OS 6.0.3: Addressed Issues which mentions the Issue #63862 that says “A backend process was using an excessive amount of memory, causing an out of memory condition.” Could this be related with the issue I'm currently having?? But this post seems to be talking about a different product other than GlobalProtect.

 

Below are the screenshots of comparison between the initial state and when the memory was all comsumed.

 

Task Manager Performance initiallyTask Manager Performance initiallyTask Manager Performance when all memory consumedTask Manager Performance when all memory consumedTask Manager Processes initiallyTask Manager Processes initiallyTask Manager Processes when all memory consumedTask Manager Processes when all memory consumed

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite

‎01-13-2017 02:20 PM

Please see HERE: This is an addresssed isue in 3.0.2. 

 

FYI, GlobalProtect is NOT meant to be ran for days, nor is any other SSL VPN client. If you are keeping something like this open constatly you should be using an IPSEC tunnel not a VPN client. 

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
BPry
Cyber Elite
Cyber Elite

‎01-13-2017 02:20 PM

Please see HERE: This is an addresssed isue in 3.0.2. 

 

FYI, GlobalProtect is NOT meant to be ran for days, nor is any other SSL VPN client. If you are keeping something like this open constatly you should be using an IPSEC tunnel not a VPN client. 

0 Likes Likes

Go to solution
yaobin
L1 Bithead
In response to BPry

‎01-16-2017 07:06 AM

Hi @BPry

 

Thanks for your reply!

 

By the way, I looked at the "Details" tab on my GlobalProtect window and it said the protocol being used was "IPSec". Does this mean I'm already using the IPSec tunnel as you mentioned?

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to yaobin

‎01-16-2017 11:52 AM

Sorry after reading your question again an actual site-to-site IPsec tunnel doesn't make a lot of sense for your situation. One thing to keep in mind is that GlobalProtect, and AnyConnect or WatchGuard's client for that matter, is meant to be used as an on-demand VPN client. It really isn't meant to be kept running for days. This is why all VPNs are configured with a timeout, which is something you would have had to disable to actually get this to run for 'days' as you mentioned. 

0 Likes Likes

Go to solution
yaobin
L1 Bithead
In response to BPry

‎01-16-2017 01:09 PM - edited ‎01-16-2017 01:10 PM

Hi @BPry,

 

Thanks again for your information! Excuse me if I ask stupid questions because I don't have much experience with the VPN-related technologies.

 

I get your message that the clients you mentioned are not supposed to run for ever. Therefore, now I start to re-think how I should achieve my business goal.

 

My situation is like below:

  • My customer is a large company which requires strict IT security policy. I have to use VPN to access the customer-site computers.
  • GlobalProtect is the VPN client required by my customer.
  • Our customer's business generates data that we need to copy back, via VPN, for further processing.
  • Our customer will keep generating such data and we need to keep copying them back. The data generation can span weeks or even months. In order to increase my company's scalability, I'm trying to build a piece of software that aims to automatically copy the data. By "automatically" I mean "zero human intervention", and manually reconnecting the VPN, if timed out, is not the desired behavior. This is why, as I said in my first post, I kept running GlobalProtect for days.
  • Our customer had turned the timeout off. This explains why I was able to run it for so long time.

As you pointed out that the VPN clients are NOT designed to keep running long time, I'm thinking that:

  • Maybe my goal of automation was set too high. But given the current technical constraints, disabling the timeout of the VPN client seems to be the only way to achieve my goal. What do you think??
  • Maybe there are some other alternative solutions that I'm not aware of. Do you know any of them??

Appreciate it very much for your time of reading this and if you could shed some light on me!

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to yaobin

‎01-16-2017 01:24 PM

I would really try and get a site to site VPN setup for the client in that type of situation. You still get the security benefit of a VPN, and they can limit your access so that you only have direct access to whatever data you actually need. The customer really shouldn't have any issues with this type of setup as they can setup the routes and what not to make sure that you meet the security requirements that they deem fit. 

 

If you explain to their network team what you are trying to accomplish they really shouldn't have any issues with this; most large businesses will have this type of work already done for exactly the type of situation that you are pointing out. Really I would setup a site-to-site tunnel before I ever disabled the time-out on any of my GlobalProtect clients; and a site to site is just really 'better suited' for what you are trying to accomplish here. 

Go to solution
yaobin
L1 Bithead
In response to BPry

‎01-17-2017 04:41 AM

Thank you @BPry for your time, information and suggestions!

0 Likes Likes
  • 1 accepted solution
  • 4406 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks