01-16-2015 07:31 AM
Has anyone seen this issue? We have had this issue for months with no relief and am at my wits end. Forgive me if my frustration comes through......
what happens is this:
A remote user will login to VPN web page and click the link to download the GP client then..... *poof*! All traffic in every direction stops. ALL the PAN layer 3 interfaces stop pinging. everything except management plane. It stays like this for about 5 minutes then *poof*! everything is back. NO errors, NOTHING. The users download has failed but i cant deal with that because my phone is ringing like crazy.
I know what your thinking, its you, not PAN. Well, keep in mind we run these checks against the PAN appliance from every direction(dmz,internal,etc). And from each direction we show PAN’s layer 3 interfaces all going dark(no pings) at the same. Crazy right? Im saying this is not just “TRUST” side but also from the “DMZ” side AND External side. all angles, different networks, switches, everything. its as if PAN appliance disappears from network. EXCEPT management plane. which shows no errors. zero traffic, but no errors. HA! Oh btw, the directly connected switches are not related and have redundant power.
we even received a new RMA PA-2050 appliance and updated all PANOS software to the latest versions., we Imported our configuration snapshot and moved cables over to appliance around 4pm yesterday….by 9:15 pm the appliance demonstrated the exact same behavior. That is, All traffic in all direction stopped for about 5 minutes when someone initiated a download of the VPN client software.
before you ask(Forgive me if my frustration comes through......):
yes, The current version is installed. This problem has been with us for a LONG time so this issue has existed in every version of 6.x.x. at least.
yes, i have factory reset the appliance and reloaded config.
no, it does not happen every-time the client is downloaded, just sometimes.
no, the PAN is not being utilized at or near its stated throughput (in fact this will happen late at night too when nearly no load is on the appliance)
yes, i have a case open with pan support. for months in fact.
NO, I did not check my switch on the ________ zone/side for setting _______. Listen, i have different model switches (from different manf) on each zone. they are not connected, and I have redundant power supplies, if you think there is a chance my 3 separate unrelated switches all failed in same way at same time then.... well, just think about it.
01-16-2015 08:53 AM
Hello Paul
I have a few questions
Below are the steps to do a packet capture
Navigate to Monitor--Packet Capture
Click 'Manage Filters'
Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )
Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)
2. Setup up the captures
Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)
3. Enable filters and captures
debug dataplane packet-diag set filter on
debug dataplane packet-diag set capture on
4. open 2 CLI windows
on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)
show counter global filter packet-filter yes delta yes
on the 2nd window run the following command to look at he sessions
show session all filter source <ip address> destination <ip address>
5. Now download the client while it is failing to look at the counters and captures and sessions to determine what is causing the issue.
6. Once you have finished testing and capturing. Make sure to turn off the debugs.
I have seen Global protect client download freeze issues in the virtual firewalls and one Shot in the dark is to bypass tcp asymmetric path. For testing purpose please run the following command and try a test to download the global protect client from the portal.
admin# set deviceconfig setting tcp asymmetric-path bypass
Note: Please mark any helpful or Correct answers!
Regards
Khan
01-23-2015 05:17 PM
Are you using default page or custom page for GP?
What exact software version is being used?
Did you import config on same revision of RMA unit?
Does the problem exist in older rev too?
I know too many questions but it can give some hints.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
