Something must have gone wrong in my config I just don't know what. Here is the situation. This is a new setup on PA-820 we have the GlobalProtect license. Some users including myself will connect to the vpn fine, access resources on the network and within a minute or so the network resources will just drop and fail, no status change on the VPN; it stays connected fine. Reconnecting solves it for a while and then it happens again and again and again. It does not happen to all users and computers though. For example my home desktop does not have the issue at all, connects fine and stays connected and works fine for hours. I'm wondering if it has something to do with cookies? Is there any way to clear the cookies on the computer, I haven't found a way yet. Or any other ideas at what I could check. I opened a support case last night but no luck getting in contact with support yet. Please let me know if there is any more info I could give that would help.
PA Software Version: 9.1.1
VPN Client: Windows 5.1.1-12
@KJamesPlease brief us more on the issue -
1. When you start facing issues, have you checked the traffic logs on firewall? Do you see traffic hitting firewall?
2. Please check route print on affected system during issue. Is there any IP conflict happening?
Same issue here. Don't remember it happening prior to upgrading to 9.1.1. Could be a coincidence. We have a split-tunnel configured. When users can't pass traffic, they can still ping the private IP of others who are connected at the same time.
I opened a support case as well. Same software versions as you. Did you see this issue prior to PA Software Version 9.1.1?
We've tried rolling back to 9.1 and 9.0.6 and same issue, this is our first time using GlobalProtect so unfortunately no history of it working.
Got some time scheduled with support today as we could never get in touch. We have GlobalProtect set to look to an AD Group for allowed users. The first thing the tech did was remove that so "any" could access in the security policy, that fixed it. But he went on to figure out why AD was causing it. It ended up being in the Authentication Profile, in the User Domain box we had: domain.local, what fixed it was removing the .local so it just said the domain name. Hope that helps if you haven't got in touch with support yet.
Thanks for your comment. Our config is a bit different so that's not our issue. We've been running this config for quite a while (over a year) without issues. I'm thinking, based on all of the data I've collected, that this is more of an Internet congestion issue more than anything else.
I am facing the same issue. We are currently running 8.1.9-h4. We have User-ID configured and first thing I did was to remove specified AD groups from policies to "Any". Also, under User Identification Networks include/exclude I have disabled those to eliminate that possibility. I have an on-going case open with support but it seems to be at a dead end since we are unable to re-create the issue on demand. When I check the logs on the firewall the username does not populate but it should still work as I changed to "Any". And it is just going straight to the Deny policy with a bunch of not-applicable or incomplete as the application. As if the tcp handshake can not be completed. It is as if the connection is stale. I am still connected to the GlobalProtect but I am not able to access any internal or external resources. Only solution is to disconnect and reconnect GlobalProtect connection. We are running full tunnel so I am wondering if it could be related to local ISP and Internet congestion issues.
Anyways, just wanted to share my expericne. If I happened to find a solution I will be sure to update this feed. My next steps is to either update PAN-OS or try an updated GlobalProtect Client version.
Please let me know if there is a solution to this issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!