Weird problem with SSL VPN traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Weird problem with SSL VPN traffic

L1 Bithead

Hi folks,

We have two PA firewall pairs.

We have two three VPN systems behind the firewalls -- 3SP SSL-Explorer, Barracuda SSL VPN and Windows PPTP VPN.

We've had a problem over the last week where the SSL VPN systems wouldn't load their client Java applets properly and the web interface (https) would just intermittently time out, and PPTP users couldn't connect in remotely, authentication would time out.

I narrowed it down to one of the PA devices.  One would pass the traffic fine, the other would not.  I noticed one of the pair was becoming active in the HA pair intermittently, due to "split brain".  That hasn't happened before.  I checked the rulesets between the devices, they appear to match.  I tried rebooting the faulty box, but still the problem persisted, so I've ended up shutting it down to stop us failing over it to.

Anybody seen anything like this before?  It's really weird.

8 REPLIES 8

L5 Sessionator

There might be an issue with the HA1 link. HA1 link is the control link and is used for all management plane interactions between the members of the cluster. If the HA1 is faulty, each device would assume that its peer is no longer in cluster and tries to assume the mastership of the cluster. Please reseat the cables or change them to see if it makes a difference.

BR,

Karthik RP

L5 Sessionator

Is it just the VPN traffic that is having this issue or other traffic that suffer from the same problem? like people complaining about slow web browsing. Plus correct me if I am wrong, but is this an active passive setup?

BR,

Karthik RP

Hi,

It's Active-Passive.  Right now the only complaint we hear from users is around VPN traffic, however in the past when we've failed over we've heard complaints around slow web browsing.

I would check the HA1 link first. At the same time, we also want to verify if the upstream/downstream switches did receive and process the gratuitous arps whenever there was a failover. If the cluster is an active-passive setup, the passive device shouldnt transmit any traffic from the upstream/downstream switches.

BR,

Karthik

L5 Sessionator

If you are experiencing issues due to split brain, i think you should troubleshoot the split brain issue and see if you still have the VPN issue.

Here is a good doc for it

https://live.paloaltonetworks.com/docs/DOC-1094#comment-1321

https://live.paloaltonetworks.com/docs/DOC-1997

The following doc explains HA Failover optimization

https://live.paloaltonetworks.com/docs/DOC-5008

Hope this helps

Thanks

Hi

I tried switching off the other HA pair, to rule out HA problems - the broken box still botches SSL and PPTP traffic.

If you are not having split brain issue anymore and still running into issues with traffic. Try creating an app override for that traffic and see if that helps.

Here is how to create an app override.

https://live.paloaltonetworks.com/docs/DOC-1071

Hope this helps.

Thanks

Not applicable

Hello Kevin,

Could you reply with the steps to complete a PPTP vpn? I cant figure it out. Thanks

  • 3957 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!