Problems with GlobalProtect from China?

Reply
Highlighted
L1 Bithead

Problems with GlobalProtect from China?

Hi,

 

  we have a user who spends a lot of time in China, but is having major problems getting GlobalProtect working while there.  Does anyone else have any experience running GlobalProtect out of China (to Norway, in our case), either positive or negative?

 

We're seeing tunnels sometimes going down for no apparent reasons, "Failed to connect to remote host" messages on reconnect, and generally poor performance.  Most of the time the user isn't able to use GlobalProtect.

 

- Håvard

Highlighted
L4 Transporter

Re: Problems with GlobalProtect from China?

hi,

 

we also have remote users in china. they don't having problems at all...

If (just sometimes) they have problems to conntect is because of the china great firewall: - latency issue and trying to decrypt SSL connections.

Workaround: waiting or try another portal.

 

check how the latency is from the client is, use a newer version of GP and ensure a none decrypted connection...

Highlighted
L1 Bithead

Re: Problems with GlobalProtect from China?

We currently have only one portal (and one gateway), so trying another isn't an option.  However, it was suggested to me to try running a PAN-OS VM in AWS (Singapore), which might bypass some of the issues with the chinese firewall.  I'll see if I can try it this month.

Highlighted
L2 Linker

Re: Problems with GlobalProtect from China?

I notice this old thread, but would like to comment on it and maybe get more replies. 

We have hosted Global Protect in China with mixed results. It used to work on Verizon line, but since we switched to China telecom it is not working. It seems like the problem is ssl connection, and that ssl requests are not even reaching the portal/gateway. 

 

Highlighted
L4 Transporter

Re: Problems with GlobalProtect from China?

Hi @goran.katava,

 

Are you sure that you are using the GlobalProtect in SSL mode and not in IPsec mode?

 

In the past I had issues with IPsec based RA VPN (on another firewall vendor) for users connecting from China and the solution was to switch from IPsec to SSL for the RA VPN. This was few years ago and I am surprise to hear that the SSL based VPN is having issues. 

 

 

Highlighted
L5 Sessionator

Re: Problems with GlobalProtect from China?

Hello All,

 

We had also faced issues with IPSEC from China. Most of the times, there were huge latency and drops too.

 

- Mayur



Mayur Sutare
Highlighted
L2 Linker

Re: Problems with GlobalProtect from China?

Yea, I am sure, IPSEC mode. 

 

All sudden it started working. It was most probably blocked by ISP.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!