GP Disconnects

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GP Disconnects

L2 Linker

Greetings,

 

I am not sure if someone else has come across this issue before with global protect and just wanted to run by some of you guys.

 

The issue that I am having with GP is that it randomly disconnects. The VPN connection perform fines when under relatively light load with no issues or disconnects. The issue arises when you begin to push the limits of the connection speed.

 

This issue has been going on for a while and I am no wiser on how to solve this. When it first started my broadband connection was 6mb down and 1mb up that was a normal connection without the VPN. When connected on the GP the connection would show 3mb down and 1mb up. In this scenario, checking mails, general web browsing were fine, but doing something like adding a video to a skype call would cause the connection to drop, as it was too near the upper bandwidth for it to handle.

 

I then changed my broadband provider to rule that out of the equation. I went to a fibre connection, which a speed test showed 60 and 70mb down/18mb up. The same problem is still there, but because I have raised the threshold of the what stresses the connection, I can now skype video etc without issue. However, if I were to download a large file from the web, or copy large files from a file server, the problem still remains.

 

One of two things will happen. Either A) the connection will slow significantly. During this period, you can see that the outbound traffic on the local adapter is often 2-3 times higher than the traffic on the PanGP virtual adapter, due to the sheer volume of retransmits occurring. Or B) the connection will perform well for a minute or two, and then suddenly cut out. Sometimes it is a combination of the two, with reduced speed due to retransmits, followed by a cut out.

 

Most of the time this does not affect me too much, because I do not move large files about. However, a couple of days ago I had to download a 2GB update, this led to disconnects every 60 – 120 seconds and made my machine unusable during the download time.

 

I am not the only user who is experiencing this issue – I have spoken to other VPN users on different broadband providers having the same issue.

 

The system log of PALO shows a connection released message.

 

The logs on the GP client shows:

 Window session changed with state 4

user is switching off.

user disconnected with state = 4

 

The version of GP we are using is 3.1.0, but experienced this issue on multiple other versions.

 

Not sure what to do from here so if anyone can share some valuable knowledge/experience on this.

 

Many Thanks,

10 REPLIES 10

Cyber Elite
Cyber Elite

you can try adding QoS limits to prevent downloads etc to consume all available bandwidth, or set guarantees for your VPN traffic ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you for the reply. Can you explain the setting for setting gurantees for the VPN connection is there any guide that explains how to set this up exactly?

 

I am also considering the QoS setup, but just want to know which one would work better.

a good start can be found here : Getting Started: Quality of Service. you'll want to customize the QoS settings to your preferences and environment

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I have been doing some more testing on this and I do not think QoS may not be the solution. I haven't had to apply any QoS to other global protect deployments. 

 

I tested with another SSL VPN solution "SoftEther VPN" which is no longer in development, but is fine to use in a test. I thought this would be a good test of QoS, as surely this SSL VPN would suffer the same issues. 

 

I did smiliar test with the Softether VPN so moving big files from my laptop, downloading and streaming video. Here is the results from my tests:

 

No VPN: Download 62 Mbps Upload 18.5 Mbps 

SoftEther: Download 59.6 Mbps Upload 15.9 Mbps

Global Protect: Download: 35 Mbps Upload 16 Mbps

 

As you can see, the upload seems fairly good, as it always has, but the download is quite significant. Around 3.8% overhead on the SoftEther connection, which I'd expect as normal overhead for a VPN. However, the Global protect shows around 43.5% losses / overhead, which seems high.

 

Any file transfer, downloads and video streaming with SoftEther VPN remians steady with no drops, and no large difference between ethernet speed and PANGP adapter and it is not having any retransmission problem either.

 

With this info do yout think we still need to implement QoS on the firewall?

I have come across the following info with regards to speeds of SSL VPN:

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Why-is-GlobalProtect-Slower-on-SSL-VPN-Compar...

 

Would like to know your thoughts on this inlight of the above info. 

 

did you verify GlobalProtect is indeed running in SSL mode instead of IPSEC mode?

 

if so, you will want to enable ipsec to improve performance

 

Have you already gone over the GP troubleshooting guide: Troubleshooting GlobalProtect

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for the reply again. We have tested with IPsec enabled and the performance improved significantly. 

 

This, however, does not solve the problem as if the client cannot establish an IPsec connection, it will still use SSL as a fall back method and then the client will still experience the issues reported. I have now raised this upto TAC as I see no reason why SSL-VPN should de-grade performance, have not come across anything on the live community that supports this and have not found an PAN guide that supports this either.

 

I will let you guys know when the issue has been sorted. 

it should be expected that ssl has slightly lower performance to ipsec as ipsec doesn't have the overhead ssl has to deal with, leaving more room for actual payload per packet

 

if you absolutely do not want the fallback to ssl, you can simply block ssl to the untrust interface (untrust untrust ssl-443 drop), then it is either ipsec or nothing

however, ssl is usually a good backup for users in a restrictive environment that do not allow ipsec

 

please keep us posted on your interaction with TAC 🙂

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

PAN TAC have advised that this is a bug in the code and is due to be fixed in version 7.1.6 🙂

Good find.  Did they provide you the bug-id?  Could you post it here?  Could help others us knowing what to look for in the upcoming release.

The bug ID is: 98699

 

let me know if you need any other info

  • 5732 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!