Global Protect Drops Connection Easily

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect Drops Connection Easily

L1 Bithead

I observe that Global Protect drops connections while other apps are not.  What thresholds need to be exceeded for Global Protect to give up and drop? I would like to consider how to improve network or end point factors to limit the frequency of Global Protect failiures.

1 accepted solution

Accepted Solutions

L6 Presenter

You can see the list of adjustable thresholds under the GlobalProtect client App settings of the Portal:

Network->GlobalProtect->Portals->[portalconfig]->Agent->[agentconfig]->App

 

Select the help button or go to your local firewall for documentation of the values:

https://[firewall]/PAN_help/en/wwhelp/wwhimpl/js/html/wwhelp.htm#href=globalprotect-portals-agent-ap...

 

Or see the values in the PAN docs:

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-global...

 

There are also a couple timeouts under the Gateway config, though I don't think they are relevant to your situation:

Network->GlobalProtect->Gateways->[gatewayconfig]->Agent->ConnectionSettings

 

You will really need to review the system and client logs to determine why the clients are getting disconnected. System logs:

Monitor->Logs->System

Monitor->Logs->GlobalProtect

Client logs:

GlobalProtectClient->dropdownmenu->Settings->Troubleshooting->CollectLogs

and look at the PanGPS.log in particular around the time of the disconnect.

 

View solution in original post

5 REPLIES 5

L7 Applicator

You really need to check the logs to see why it has disconnected as could be many reasons... 

 

does it reconnect after a while or do you need to manually connect again???

 

 export the logs from the client settings and check the pangps file. this will tell you whats going on...

Thank you for your reply.  I am developing a script for the collection of a variety of logged factors.  Mostly focused on the endpoint itself, but with the intent to uncover network-centric influences. That part has been done sporadically without a strategy. I plan to have that strategy in place today, with some simple elements that typify the customer experience so we can try to harvest as much as possible when it is happening.

 

Sometimes you will have to reconnect to network services and other times you will not.  It is really unpredictable.

 

I monitored a few end points that had repeated issues, discovered that they often had network-related performance concerns, but the issue did not always manifest. It seems that there must be more than one factor that needs to be present for Global Protect to drop the connection.

L6 Presenter

As @Mick_Ball says, there are many reasons it could be losing connection. Normally the GlobalProtect client will attempt to automatically reconnect the VPN to the existing Gateway when it detects a problem. If you are running multiple Gateways, then it may attempt to connect to a different Gateway after the first fails (which may or require re-authentication, depending on your setup).

 

It isn't exactly clear, but I suspect the primary VPN loss detection is from the values "TCP Connection Timeout" (default 5sec) and "TCP Receive Timeout" (default 30sec) in the client App settings. Once the GP client has determined it is no longer connected it tries automatically reconnecting per the "Automatic Restoration of VPN Connection Timeout" (default 30min) and "Wait Time Between VPN Connection Restore Attempts" (default 5sec) timers.

 

If the client has been deliberately kicked off the VPN (security, HIP check report failures, manually, etc.) then it doesn't appear to automatically restore the connection existing Gateway connection (requires reauth).

Might it be possible to get a complete list of Global Protect "thresholds" so I can attempt to correlate issues with end point performance and connectivity?  Armed with that I could perhaps target specific network and end point elements for change or improvement.

L6 Presenter

You can see the list of adjustable thresholds under the GlobalProtect client App settings of the Portal:

Network->GlobalProtect->Portals->[portalconfig]->Agent->[agentconfig]->App

 

Select the help button or go to your local firewall for documentation of the values:

https://[firewall]/PAN_help/en/wwhelp/wwhimpl/js/html/wwhelp.htm#href=globalprotect-portals-agent-ap...

 

Or see the values in the PAN docs:

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-global...

 

There are also a couple timeouts under the Gateway config, though I don't think they are relevant to your situation:

Network->GlobalProtect->Gateways->[gatewayconfig]->Agent->ConnectionSettings

 

You will really need to review the system and client logs to determine why the clients are getting disconnected. System logs:

Monitor->Logs->System

Monitor->Logs->GlobalProtect

Client logs:

GlobalProtectClient->dropdownmenu->Settings->Troubleshooting->CollectLogs

and look at the PanGPS.log in particular around the time of the disconnect.

 

  • 1 accepted solution
  • 2155 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!