11-10-2019 08:22 PM - edited 11-10-2019 08:23 PM
I have VM300 with GP without split tunnel. Between with and without GP their is a lose of around 6mb.
Is it acceptable to have 6mb of overhead lose? Will enabling/disabling ipsec in ssl vpn setting make any difference.
11-14-2019 03:03 PM
Was it always this way?
Do you have threat profiles enabled for that traffic?
Is this affecting every client?
There are many things that could cause issues.. but we will need to narrow down what the issue may be.
11-14-2019 03:21 PM
No security profiles.
Not affecting every customer.
My question is what sort of overhead can be seen in GP
11-14-2019 10:28 PM
If you have split tunnel disabled (makes sense), then the public IP of the firewall needs to hairpin the communication from GP agent to destination IP on Internet. This could be a legitimate reason for why you will have some degradation, due to increased CPU utilization in hairpin.
I believe this is acceptable, as there is no way to NOT have some degradation.
As you mentioned, it does not affect every customer, so there are too many variables to indeed, determine that it is the GP config causing it.
You could always enable QoS to help prioritize traffic.
Keep working out the variables and let us know. I
11-14-2019 10:35 PM
User has performance issue when access a file in trust zone of the firewall over GP,ipsec tunnel.
I read on net SMB traffic over vpn is not very good.There are lot of tcp retransmissions.
11-14-2019 10:45 PM
Ok, still confused.
With split tunneling enabled (which is an irrelevant point) the user is still using the routing table (pushed by the GP config) to access the file in the trust zone.
With split tunneling disabled (which forces all traffic to the FW), the user is still using the same routing table to access the file in the trust zone.
I guess I do not see how split tunnel (on or off) would affect accessing the trust zone, UNLESS, there is a lot of non-productive traffic being pushed through the FW during the disabled split tunnel config)
Is the virtual pool of address in the GP config a non-overlapping/unique subnet, that is not on the trusted network?
What other info can you share?
Why does this not affect all customers, if you think it is a GP agent/configuration issue.
I presume you are doing a wireshark trace to see the re-transmissions. May be related, or may not be related.
If they try to NOT access using SMB, but go to a web server inside their network, does it work fine?
Is there a FTP server or similar that the user can try to upload/download files using a different application.
Any QoS enabled on the FWs?
Keep working and troubleshooting the issue.
02-10-2021 01:19 PM
Just wanted to let everyone know that if they are having any GlobalProtect issues, and need to troubleshoot the issue, our Very own @kiwi has written a great blog all about troubleshooting GlobalProtect.
Be sure to check it out here:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!