Have just noticed that having connected to GlobalProtect on Android (client version 5.0.3-13), I can browse the Google Play Store but can no longer download any apps or app updates. The status will say "Downloading" but never starts. The security policy on the appliance is allow outbound and everything is being allowed as far as I can tell. Disconnecting the Android phone from GlobalProtect fixes the problem, and apps can be downloaded again.
Is anyone else experiencing this?
Do you have decrypt enabled?
Is there security policy allowing/denying these downloads?
Are any threats being triggered?
Can you check the global counters to see if any interesting messages show up?
Policy shows traffic being allowed, although I have not precisely been able to tie down the destination IP address used by Google Play Store. Anyway, I saw no logs in monitor for traffic being denied in an outbound direction.
No threats were found matching the source IP address of the client device.
I have had a look through global counters but there is so much in there, do you have any hints? I did a filter on severity drop and could not see anything incrementing.
you'll want to filter global counters :
> debug dataplane packet-diag set filter match source <src> destination <dst> > debug dataplane packet-diag set filter match source <dst> destination <src> > debug dataplane packet-diag set filter on > show counter global filter delta yes packet-filter yes (establishes the delta start) > show counter global filter delta yes packet-filter yes
if you don't know the exact destination, leave that blank (play arount with the available filters to narrow down as much as possible)
is split tunnel enabled on the GP agent ?
Ok have set up the filter and then tried downloading from Play Store. These lines keep appearing more often than anything else:
pkt_outstanding 6 0 info packet pktproc Outstanding packet to be transmitted
pkt_alloc 16 0 info packet resource Packets allocated
pkt_swbuf_fwd 14 0 info packet pktproc Packets transmitted using software buffer
flow_tcp_non_syn 1 0 info flow session Non-SYN TCP packets without session match
flow_tcp_non_syn_drop 1 0 drop flow session Packets dropped: non-SYN TCP without session match
There is no split tunneling configured.
I have the same issue when doing full tunnel or split tunnel by define all google networks . Users cannot access google play but all other google applications are working perfect .
I see that in the mobile logs :
(11200)10/18 08:16:04:508918 - PanVPNService: black/white app list is empty and no default access route, add play store app to blacklist
(11200)10/18 08:16:04:509337 - addDisallowedApplication, appName=com.android.vending
(11200)10/18 08:16:04:509681 - SetVNICConfig return true
(11200)10/18 08:16:04:550990 - startVirtualInterface success
(11200)10/18 08:16:04:551061 - detach the fd and send it to native code, fd=102
Hello again ,
We found 1st that access to google is using com.android.vending URL.
We found also out today that google is using NON google IP segments to host their applications. We had the situation that we were no able to download any application and we were seeing Waiting for download ....Then with NETSTAT APP I saw that Download Manager has sent SYN but not reply because I was blocking .Then I allowed and it worked .
Now , the questions is what are these ranges for content download from Global protect per region .
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!