Never ending globalprotect VPN drops

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Never ending globalprotect VPN drops

L4 Transporter

Supporting VPN for people is a challenge no matter what VPN you are using but people never consider the reliabilty of their own ISP provider as part of that issue. So what is the best way to rule out the users ISP as the problem and not the globalprotect client/VPN access? But to be fair I do not want to rule that out either . This my users complaint : 

 

We have been having an issue with the Global Protect client dropping us seemingly randomly when are connected. Sometimes we are remoted into local machines working in Clarion and/or Sybase. Other times we are remoted into our local machine and are dropped. The message we get sometimes is Global Protect is trying to reconnect and will do so in x amount of seconds. A user has been working from home this last hour and is having issues with this. We do need assistance as sometimes it is critical for us to remain connected to respond to an immediate issue. Could you please provide assistance?

26 REPLIES 26


@jdprovine wrote:

@reaper

Set to panservice not panagent?


both 🙂

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

So I have to run it twice? Because it seems to be an either or selection on the client

it's 2 processes you can separately run different log levels on, so you set log level for one and then the other 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

I had a TAC case open for this and they just called me back, they said to run pangpservice in debug mode and start. Then highlight the logs collected and paste into notepad and then upload to the case. The said I did not have to run as pangpclient but I trust your advice more reaper

no ones ever died from too many logs .... i think 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

Indeed! TAC is starting to go downhill

@reaper @BPry @OtakarKlier

 

Will you get everything if you set it to dump instead of debug?

@reaper @BPry @OtakarKlier

 

Collected the client off the logs and what do you know when the user came down everything worked as it should and I have convinced to contact there ISP and check out their home wireless 

As with you all, I am experiencing user complaints about VPN connectivity and reliabilty.

 

One thing I have found today with one of the GP users is using what I'll call ISP C. Our company has two ISP's I'll call them ISP A and ISP B. A traceroute from either side shows traffic going to the client traversing over ISP A from the GP Gateway to reach ISP C. However, a traceroute from ISP C reveals it is traversing a path over ISP B to reach the VPN Gateway. I'm not sure if that has something to do with it or not just yet. It has been at least for this user, a problem more recently with things starting in September.

 

To add to it, I had a conversation with another engineer in the area at a reseller. He mentioned that he is having an issue at a client site with VPN users dropping randomly as well. They are using Cisco AnyConnect but the interresting thing is they share the same ISP C that our client is using. Not only that, but it is something that started occuring in the same timeframe as our client. These clients should have only one AS hop between their AS and our AS. I haven't confirmed the other path.

 

So, don't discount the idea that problems could just be ISP related. If anyone has any comments on asynchronous ISP paths using BGP please reply. I'd enjoy hearing them.

@bspilde

Absolutely, I find that 9.5 times out of 10 the issue is related to a wonky ISP connection, but its hard to get the user to believe that. They repeatedly come back to be,even when I have logs saying its not the VPN client, to get me to fix it for them. Frequently I advise them to contact their ISP, some do some don't, those who have contacted the ISP got resolution those who didn't got noe resolution. 🙂

In my most recent case, the user finally contacted the ISP.

 

Their VPN client was dropping every hour. ISP had them reboot their cable modem/router combo and it has been fine ever since.

@bspilde

Yup like I said 9.5 times out of 10 its wonky ISP connection - good luck 😉

  • 7605 Views
  • 26 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!