09-08-2016 01:25 AM
Greetings,
I am not sure if someone else has come across this issue before with global protect and just wanted to run by some of you guys.
The issue that I am having with GP is that it randomly disconnects. The VPN connection perform fines when under relatively light load with no issues or disconnects. The issue arises when you begin to push the limits of the connection speed.
This issue has been going on for a while and I am no wiser on how to solve this. When it first started my broadband connection was 6mb down and 1mb up that was a normal connection without the VPN. When connected on the GP the connection would show 3mb down and 1mb up. In this scenario, checking mails, general web browsing were fine, but doing something like adding a video to a skype call would cause the connection to drop, as it was too near the upper bandwidth for it to handle.
I then changed my broadband provider to rule that out of the equation. I went to a fibre connection, which a speed test showed 60 and 70mb down/18mb up. The same problem is still there, but because I have raised the threshold of the what stresses the connection, I can now skype video etc without issue. However, if I were to download a large file from the web, or copy large files from a file server, the problem still remains.
One of two things will happen. Either A) the connection will slow significantly. During this period, you can see that the outbound traffic on the local adapter is often 2-3 times higher than the traffic on the PanGP virtual adapter, due to the sheer volume of retransmits occurring. Or B) the connection will perform well for a minute or two, and then suddenly cut out. Sometimes it is a combination of the two, with reduced speed due to retransmits, followed by a cut out.
Most of the time this does not affect me too much, because I do not move large files about. However, a couple of days ago I had to download a 2GB update, this led to disconnects every 60 – 120 seconds and made my machine unusable during the download time.
I am not the only user who is experiencing this issue – I have spoken to other VPN users on different broadband providers having the same issue.
The system log of PALO shows a connection released message.
The logs on the GP client shows:
Window session changed with state 4
user is switching off.
user disconnected with state = 4
The version of GP we are using is 3.1.0, but experienced this issue on multiple other versions.
Not sure what to do from here so if anyone can share some valuable knowledge/experience on this.
Many Thanks,
09-08-2016 01:51 AM
you can try adding QoS limits to prevent downloads etc to consume all available bandwidth, or set guarantees for your VPN traffic ?
09-08-2016 02:16 AM
Thank you for the reply. Can you explain the setting for setting gurantees for the VPN connection is there any guide that explains how to set this up exactly?
I am also considering the QoS setup, but just want to know which one would work better.
09-08-2016 02:22 AM
a good start can be found here : Getting Started: Quality of Service. you'll want to customize the QoS settings to your preferences and environment
09-16-2016 06:17 AM
I have been doing some more testing on this and I do not think QoS may not be the solution. I haven't had to apply any QoS to other global protect deployments.
I tested with another SSL VPN solution "SoftEther VPN" which is no longer in development, but is fine to use in a test. I thought this would be a good test of QoS, as surely this SSL VPN would suffer the same issues.
I did smiliar test with the Softether VPN so moving big files from my laptop, downloading and streaming video. Here is the results from my tests:
No VPN: Download 62 Mbps Upload 18.5 Mbps
SoftEther: Download 59.6 Mbps Upload 15.9 Mbps
Global Protect: Download: 35 Mbps Upload 16 Mbps
As you can see, the upload seems fairly good, as it always has, but the download is quite significant. Around 3.8% overhead on the SoftEther connection, which I'd expect as normal overhead for a VPN. However, the Global protect shows around 43.5% losses / overhead, which seems high.
Any file transfer, downloads and video streaming with SoftEther VPN remians steady with no drops, and no large difference between ethernet speed and PANGP adapter and it is not having any retransmission problem either.
With this info do yout think we still need to implement QoS on the firewall?
I have come across the following info with regards to speeds of SSL VPN:
Would like to know your thoughts on this inlight of the above info.
09-19-2016 03:18 AM
did you verify GlobalProtect is indeed running in SSL mode instead of IPSEC mode?
if so, you will want to enable ipsec to improve performance
Have you already gone over the GP troubleshooting guide: Troubleshooting GlobalProtect
09-19-2016 01:46 PM
Thanks for the reply again. We have tested with IPsec enabled and the performance improved significantly.
This, however, does not solve the problem as if the client cannot establish an IPsec connection, it will still use SSL as a fall back method and then the client will still experience the issues reported. I have now raised this upto TAC as I see no reason why SSL-VPN should de-grade performance, have not come across anything on the live community that supports this and have not found an PAN guide that supports this either.
I will let you guys know when the issue has been sorted.
09-20-2016 01:32 AM
it should be expected that ssl has slightly lower performance to ipsec as ipsec doesn't have the overhead ssl has to deal with, leaving more room for actual payload per packet
if you absolutely do not want the fallback to ssl, you can simply block ssl to the untrust interface (untrust untrust ssl-443 drop), then it is either ipsec or nothing
however, ssl is usually a good backup for users in a restrictive environment that do not allow ipsec
please keep us posted on your interaction with TAC 🙂
09-20-2016 07:02 AM
PAN TAC have advised that this is a bug in the code and is due to be fixed in version 7.1.6 🙂
09-20-2016 07:07 AM
Good find. Did they provide you the bug-id? Could you post it here? Could help others us knowing what to look for in the upcoming release.
09-21-2016 02:33 AM
The bug ID is: 98699
let me know if you need any other info
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
