Something must have gone wrong in my config I just don't know what. Here is the situation. This is a new setup on PA-820 we have the GlobalProtect license. Some users including myself will connect to the vpn fine, access resources on the network and within a minute or so the network resources will just drop and fail, no status change on the VPN; it stays connected fine. Reconnecting solves it for a while and then it happens again and again and again. It does not happen to all users and computers though. For example my home desktop does not have the issue at all, connects fine and stays connected and works fine for hours. I'm wondering if it has something to do with cookies? Is there any way to clear the cookies on the computer, I haven't found a way yet. Or any other ideas at what I could check. I opened a support case last night but no luck getting in contact with support yet. Please let me know if there is any more info I could give that would help.
PA Software Version: 9.1.1
VPN Client: Windows 5.1.1-12
Got some time scheduled with support today as we could never get in touch. We have GlobalProtect set to look to an AD Group for allowed users. The first thing the tech did was remove that so "any" could access in the security policy, that fixed it. But he went on to figure out why AD was causing it. It ended up being in the Authentication Profile, in the User Domain box we had: domain.local, what fixed it was removing the .local so it just said the domain name. Hope that helps if you haven't got in touch with support yet.
Thanks for your comment. Our config is a bit different so that's not our issue. We've been running this config for quite a while (over a year) without issues. I'm thinking, based on all of the data I've collected, that this is more of an Internet congestion issue more than anything else.
I am facing the same issue. We are currently running 8.1.9-h4. We have User-ID configured and first thing I did was to remove specified AD groups from policies to "Any". Also, under User Identification Networks include/exclude I have disabled those to eliminate that possibility. I have an on-going case open with support but it seems to be at a dead end since we are unable to re-create the issue on demand. When I check the logs on the firewall the username does not populate but it should still work as I changed to "Any". And it is just going straight to the Deny policy with a bunch of not-applicable or incomplete as the application. As if the tcp handshake can not be completed. It is as if the connection is stale. I am still connected to the GlobalProtect but I am not able to access any internal or external resources. Only solution is to disconnect and reconnect GlobalProtect connection. We are running full tunnel so I am wondering if it could be related to local ISP and Internet congestion issues.
Anyways, just wanted to share my expericne. If I happened to find a solution I will be sure to update this feed. My next steps is to either update PAN-OS or try an updated GlobalProtect Client version.
Please let me know if there is a solution to this issue.
@bizznasty this is exactly the issue I am facing, specifically on some users. One of user has two windows laptops and connected as same user in both machines with same version of GP client, one works fine and other not working. Not sure what exactly it is causing, but interestingly, on the non-working machine he connected through mobile-hotspot and everything worked fine. This doesn't explain me ISP issue as well because on same network other windows laptop and MAC working fine.
Please let me know if you find any solution
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!