PAN2050 data stops when global protect client downloaded

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN2050 data stops when global protect client downloaded

L1 Bithead

Has anyone seen this issue? We have had this issue for months with no relief and am at my wits end. Forgive me if my frustration comes through......


what happens is this:

A remote user will login to VPN web page and click the link to download the GP client then..... *poof*! All traffic in every direction stops. ALL the PAN layer 3 interfaces stop pinging. everything except management plane. It stays like this for about 5 minutes then *poof*! everything is back. NO errors, NOTHING. The users download has failed but i cant deal with that because my phone is ringing like crazy.


I know what your thinking, its you, not PAN.  Well, keep in mind we run these checks against the PAN appliance from every direction(dmz,internal,etc). And from each direction we show PAN’s layer 3 interfaces all going dark(no pings) at the same. Crazy right? Im saying this is  not just “TRUST” side but also  from the “DMZ” side AND External side. all angles, different networks, switches, everything. its as if  PAN appliance disappears from network. EXCEPT management plane.  which shows no errors. zero traffic, but no errors. HA! Oh btw, the directly connected switches are not related and have redundant power.

we even received a new RMA PA-2050 appliance and updated all PANOS software to the latest versions., we Imported our configuration snapshot and moved cables over to appliance around 4pm yesterday….by 9:15 pm the appliance demonstrated the exact same behavior. That is, All traffic in all direction stopped for about 5 minutes when someone initiated a download of the VPN client software.

before you ask(Forgive me if my frustration comes through......):

yes, The current version is installed. This problem has been with us for a LONG time so this issue has existed in every version of 6.x.x. at least.

yes, i have factory reset the appliance and reloaded config.


no, it does not happen every-time the client is downloaded, just sometimes.

no, the PAN is not being utilized at or near its stated throughput (in fact this will happen late at night too when nearly no load is on the appliance)

yes, i have a case open with pan support. for months in fact.

NO, I did not check my switch on the ________ zone/side for setting _______. Listen, i have different model switches (from different manf) on each zone. they are not connected, and I have redundant power supplies, if you think there is a chance my 3 separate unrelated switches all failed in same way at same time then.... well, just think about it.

2 REPLIES 2

L3 Networker

Hello Paul

I have a few questions

  • What is the software version. Type the command > show system info and paste the output
  • When the GP download is initiated, did you do a packet capture with source and destination filter set? If yes, could you please paste a screen shot of the packet capture.

Below are the steps to do a packet capture

  1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:

Navigate to Monitor--Packet Capture

Click 'Manage Filters'

Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )

Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)

2. Setup up the captures

Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)

3. Enable filters and captures

debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture on

4. open 2 CLI windows

on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)

show counter global filter packet-filter yes delta yes

on the 2nd window run the following command to look at he sessions

show session all filter source <ip address> destination <ip address>

5.  Now download the client while it is failing to look at the counters and captures and sessions to determine what is causing the issue.

6.  Once you have finished testing and capturing. Make sure to turn off the debugs.

I have seen Global protect client download freeze issues in the virtual firewalls and one Shot in the dark is to bypass tcp asymmetric path. For testing purpose please run the following command and try a test to download the global protect client from the portal.

admin# set deviceconfig setting tcp asymmetric-path bypass

Note: Please mark any helpful or Correct answers!

Regards

Khan

L3 Networker

Are you using default page or custom page for GP?

What exact software version is being used?

Did you import config on same revision of RMA unit?

Does the problem exist in older rev too?

I know too many questions but it can give some hints.

  • 2798 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!