Globalprotect 5.2.5 popup message

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Globalprotect 5.2.5 popup message

L3 Networker

Hi All,

 

Having just deployed version 5.2.5 when I connect on Globalprotect I get a pop up stating "The network connection is unreliable and GlobalProtect reconnected using an alternate method......". This did not appear before and was not present on 5.2.4. We need version 5.2.5 for O365 split tunneling, there is an issue using 5.2.3 and 5.2.4.

 

I have noticed I'm connecting as SSL even though the gateway is configured for "enable Ipsec" and the rule has Ipsec in it's app field.

 

Is there a way to remove this notification (having looked I can't see anything obvious)? I will shortly be pushing this client out to 3500 users.

 

Regards

 

Adrian

2 accepted solutions

Accepted Solutions

L5 Sessionator

@a.jones 
At this point, disabling IPSEC mode under GlobalProtect Gateway config is the way to remove pop-up.

I already opened ticket and TAC said he will fix the issue in GP 5.2.6, and new option will be available under Agent Configuration in GlobalProtect portal.

Hope this will help you.

 

Regards,

Emr

View solution in original post

L0 Member

Issue: Notification on GP client version 5.2.6 (The network connection is unreliable and global protect reconnected using an alternate method. You may experience slowness when accessing the internet or business application)

 

RCA: Global Protect are receiving notification when the connection falls back from IPSEC to SSL even after disabling the 'display IPSEC to SSL fallback notification' in the portal app configuration

 

Workaround: Till the fixed version is released need to disable the IPSec tunnel in the gateway in GP 5.2.6 or downgrade to GP 5.2.4 where the notification feature is not available.

 

We maybe expect the fix on 5.2.7.

View solution in original post

20 REPLIES 20

L5 Sessionator

@a.jones 
At this point, disabling IPSEC mode under GlobalProtect Gateway config is the way to remove pop-up.

I already opened ticket and TAC said he will fix the issue in GP 5.2.6, and new option will be available under Agent Configuration in GlobalProtect portal.

Hope this will help you.

 

Regards,

Emr

Thanks. I had disabled and it cleared. Pain but I'll have to live with it until next version.

 

Regards

 

Adrian

Thanks for sharing this information Emr

I hope 5.2.6 will be out soon.

 

L5 Sessionator

Hi All,

 

Just to share the latest info with you all.

 

GP Agent v5.2.5-c84 was released instead of v5.2.6.

You can find the addressed issue in release note:

===

https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-release-notes/gp-app-release-i...

 

GPC-12568

Fixed an issue where, when the Connect with SSL Only option was specified as the GlobalProtect connection setting, the GlobalProtect app displayed the notification The network connection is unreliable and GlobalProtect reconnected using an alternate method. You may experience slowness when accessing the internet or business applications. when the GlobalProtect connection cannot be established as IPSec and then falls back to SSL.

===

 

In addition to above, after you update your content signature, you can find new option in App Configuration under GlobalProtect portal setting, called 'Display IPSec to SSL Fallback Notification'.

Default value is 'yes'

 

Regards,

Emr

 

L2 Linker

As someone who just upgraded to 5.2.6 I can tell you that upgrading doesn't fix it! 🙂

 

I am tired of being asked what this message means. So I am throwing in the towel and unchecking IPSec.

 

PA support - please fix it. Super annoying.

Hi

afaik you have to disable it in the Portal > Agent > App

Per default it's still enabled.

Think this switch is only working with 5.2.5-c84 and 5.2.6.

Still seeing this after activating 5.2.6 from PAN-OS 8.1.6 and running GlobalProtect Version 5.2.6-87.

 

To change this on the Portal, go to Network tab>GlobalProtect>Portals>choose the Portal>from GlobalProtect Portal Configuration screen, click on Agent>select relevant option under Configs>click on App tab>the option is called "Display IPSec to SSL Fallback Notification" by default this is set to Yes, change to No>click on OK>click on OK again>repeat for any other Portals where this change is required>Commit changes to Panorama or to the Firewall as required to suppress message as needed.


As mentioned from user Emr_1 to suppress this message, this needs to be disabled from the Gateway, from Network tab>GlobalProtect>Gateways>Agent>under Tunnel Settings tab, uncheck the Enable IPSec>repeat for any other Gateways where this change is required>Commit changes to Panorama or to the Firewall as required to suppress message as needed.

 

Another point to consider, which I ran into, is whether or not you are having issues with GlobalProtect traffic dropping IPSec connections, using UDP Port 4501. 

When GlobalProtect client will try to connect, first, it will try to connect over IPSec, using UDP, the faster protocol, if this fails, then GlobalProtect will fallback to SSL, over TCP, the slower protocol. The message that is shown, is because GlobalProtect client is failing back from IPSec to SSL for the VPN connection.

 

Performed a collect of GPClient logs from Windows laptop and searched in PANGPS.log for "Trying to do IPsec" found that this was generating failed to receive keep alive, then followed by Disconnect udp socket, then few lines down we see ipsec failed to start then we see IPSec fallback reason is IPSec connection failed.

 

Upon further investigation on the Traffic Monitor, we saw that traffic to UDP port 4501 is being denied for the GlobalProtect security policy, as a result, the IPSec Tunnel will fail and fallback to SSL will occur.

 

Proceeded to modify the GlobalProtect Security Policy that we had in place, added in the IPSec application, then changed the GlobalProtect>Gateways>Agent>under Tunnel Settings tab, re-checked the Enable IPSec>Committed changes.

 

This time, when my client connected to the GlobalProtect VPN, I saw IPSec as the Connection type, no longer seeing Notification Warning message. Repeated the same process for my other Gateways, left Portal to have Notification for Fallback set to No and this worked.

 

Need to keep in mind why the message is appearing, as sometimes this can be an indication of an underlying configuration issue that you should focus on, so as to provide an optimal user experience. Thanks to Harish Krishan, Technical Support Engineer from Palo Alto for help working through this scenario. 

 

 

 

Hello

We still have users who receive the warning. Portal config was adjusted, GP is 5.2.5-c84.

The agent log (PanGPA.log) holds the following line:

<display-tunnel-fallback-notification>no</display-tunnel-fallback-notification>

 

So I would assume, everythig is configured as required.

Any idea on this?

L3 Networker

I've just updated to 5.2.5-c84 and I'm getting the message as others have reported.  I did find a solution that was presented on another forum.  In a nut shell it appears that there needs to be a u-turn nat to the public IP for GP portal address to udp 4501.  Detailed here: GlobalProtect: how to disable alert that connection is unrealiable : paloaltonetworks (reddit.com)

L4 Transporter

I've noticed this (new?) setting in the GP agent app config. It doesn't appear to be documented, nor does it appear to do anything. I know from previous experiences, that certain GP features are introduced in content releases, rather than in PanOS updates, so maybe this is something "in the works" at the moment. Just thought I'd pass it along for others. If anyone comes across info on this setting, please share.

OwenFuller_0-1620329181650.png

 

@danoman2 Thank you very much for pointing this out. I have several VM-300 Series running on Azure and AWS, allowing UDP port 4501 on the Security Group of the External Interface removed the warninglogs/messages for me. Is there any way we can get Palo Alto to add this into the documentation for others that will encounter said error?

The solution from Reddit was just for cases, when gateway was on private (loopback) address and NAT was only configured for TCP 443 and not UDP 4501 (for ESP over UDP). And it wasn't U-turn NAT.

 

I guess there remains an open issue that option which should disable notification about fallback from IPSEC to SSL doesn't disable it even in version 5.2.6? And I believe this option was introduced only in 5.2.5?

 

The main question is; have you noticed that clients previously connecting over IPSEC now connect only over SSL?

L4 Transporter

We recently resolved this by adding ipsec-esp-udp as an allowed app on our security policy for GP. IPSEC connections started working again, and the notice went away.gpsecpolicy.png

L0 Member

Issue: Notification on GP client version 5.2.6 (The network connection is unreliable and global protect reconnected using an alternate method. You may experience slowness when accessing the internet or business application)

 

RCA: Global Protect are receiving notification when the connection falls back from IPSEC to SSL even after disabling the 'display IPSEC to SSL fallback notification' in the portal app configuration

 

Workaround: Till the fixed version is released need to disable the IPSec tunnel in the gateway in GP 5.2.6 or downgrade to GP 5.2.4 where the notification feature is not available.

 

We maybe expect the fix on 5.2.7.

  • 2 accepted solutions
  • 24366 Views
  • 20 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!