Slow GlobalProtect on PA-1410

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Slow GlobalProtect on PA-1410

Trying to see what might be going on with our PA-1410 after we upgraded to 11.0.2-h4 from 11.0.2-h1. We have tons of tickets for slow GP connections since that upgrade a few weeks back. We have a 1gb link and average usage is <100mb.

 

Users will connect to GP, go to the file server, go to open an Excel file and you'll see Excel saying it is opening a file and watch the percentage go up. When it works, it can take 20-30 seconds to open a 1Mb file. Watching the GP adapter in Windows task manager will never see usage more than 25mbit. There are other times when the file will stop opening altogether. Go back to the folder and it will not refresh. Thinking it might have been our file server, moved some files to a known good server and had the same results. This does not happen internally, only when GP is in the mix.

 

When this is happening, I try and go into the web GUI of the PA-1410 (across GP) and a lot of time it will not come up. Happens across different browsers and different machines. I get the login screen, and then just a yellow screen with a spinning progress meter in the browser. Go to a jump box internally, and I can get to the GUI. I check to see if there is something getting triggered in the threat monitor, but there is nothing. Management and Data Plane CPU are <2% when I do finally get in.

 

In my GP to internal security rule I have 'Disable Server Response Inspection' ticked, and for testing have None for the Profile Type under Profile Setting.

 

Did an upgrade to 11.0.3-h10 last night with no change in speed. While I never did any speed tests before, I don't think it was ever this slow previously. Work from home users are getting really frustrated.

 

Do have an open support case but hoping some fresh eyes might help.

3 REPLIES 3

Cyber Elite
Cyber Elite

@inSync-MarkValpreda,

This early in the branch you're likely encountered a bug that just hasn't been fixed yet and your support ticket is the best path forward since you can't really downgrade.

 

I actually am gonna recommend looking into something I'm crazy to suggest, but have you thought about upgrading to 11.1? It's actually been more stable than 11.0 for the customers that I have stuck running newer platforms and what I'm recommending they go with at this point. You essentially switch one "bleeding edge" release for another "bleeding edge" release, but 11.1 seems to be more stable in my personal experience and folks surprisingly encounter less issues than 11.0.

I wouldn't really recommend someone upgrade to 11.1 on production equipment, but for people on newer platforms like yours where you only have the choice of 11.0 and higher I'd just bite the bullet and look at 11.1.

L6 Presenter

@inSync-MarkValpreda wrote:

Trying to see what might be going on with our PA-1410 after we upgraded to 11.0.2-h4 from 11.0.2-h1. We have tons of tickets for slow GP connections since that upgrade a few weeks back. We have a 1gb link and average usage is <100mb.

 

Users will connect to GP, go to the file server, go to open an Excel file and you'll see Excel saying it is opening a file and watch the percentage go up. When it works, it can take 20-30 seconds to open a 1Mb file. Watching the GP adapter in Windows task manager will never see usage more than 25mbit. There are other times when the file will stop opening altogether. Go back to the folder and it will not refresh. Thinking it might have been our file server, moved some files to a known good server and had the same results. This does not happen internally, only when GP is in the mix.

 

When this is happening, I try and go into the web GUI of the PA-1410 (across GP) and a lot of time it will not come up. Happens across different browsers and different machines. I get the login screen, and then just a yellow screen with a spinning progress meter in the browser. Go to a jump box internally, and I can get to the GUI. I check to see if there is something getting triggered in the threat monitor, but there is nothing. Management and Data Plane CPU are <2% when I do finally get in.

 

In my GP to internal security rule I have 'Disable Server Response Inspection' ticked, and for testing have None for the Profile Type under Profile Setting.

 

Did an upgrade to 11.0.3-h10 last night with no change in speed. While I never did any speed tests before, I don't think it was ever this slow previously. Work from home users are getting really frustrated.

 

Do have an open support case but hoping some fresh eyes might help.


Unless there's some mandatory feature you need in 11.0 my recommendation would be to downgrade to 10.2.X and see if that improves the user experience.  (I think 10.2.8h4 is the current preferred version...10.2.9h1 has an issue with GP speed related to CVE-2024-3400)...--edit--  Just saw that 11.0 is the minimum support version for the 1400.

 

My recommendation would be similar to @BPry.  You're in a tough spot.  IMO, non of the newer code is ready for production deployments, but maybe pushing ahead to 11.1 would be a better option than staying on 11.0?

Turned off Zone Protection Profiles on both the LAN and GlobalProtect zones....up to ~200mbit on connections now. Going to work more with PA Support to see what might be going on.

Not opposed to going to 11.1. We're not doing anything crazy on our device.

  • 677 Views
  • 3 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!