Unstable ipsec detection for ipsec-esp-udp application when connecting Globalprotect VPN

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Unstable ipsec detection for ipsec-esp-udp application when connecting Globalprotect VPN

L2 Linker

We have a setup with a primary PA firewall 1 that pass through Globalprotect VPN traffic to a second PA firewall 2. We've seen sporadic connection problems when connecting a Globalprotect client. Sometimes it can spend up to 2 minutes to establish the VPN. When these connection problems occur firewall 1 will log unknown-udp on port 4501. Besides allowing any application with service ports in the Globalprotect policy, is it possible to improve reliability when using ipsec application?


L6 Presenter



Any particular clients facing this issue? 

This is on Windows 64-bit using the latest client software.



It is hard to conclude based on this info. In your GP policy, do you have services as "any" or "application-default"? Do you have an ability to raise the TAC case providing them with the PCAP from the firewall when the issue is visible?


This should be a fairly stable signature; I would raise a case with TAC and see if they could work with you on it. 

L2 Linker

Policy was initially configured with default-application. We've experienced better reliabilty using service ports instead. Still get sporadic VPN connections thats logged as unknown-udp on port 4501 though but it working.


Also forgot to mention that there is a destination NAT policy involved.

Its a bit hard to do packet capture since vpn connections generate so much data. We've got no reliable way to reproduce unknown-udp application detection. But I'll keep it in mind in case we have do to some further digging.



l don't think DNAT should or causing issues. If application is identified incorrectly (unknown-udp it is also app within the database) then TAC case is the next destination 😄 Please post the outcome 

L2 Linker

An update: This was a hard to replicate APP-ID misidentification but got fixed in content update 752-4343.


  • 7 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!