Having just deployed version 5.2.5 when I connect on Globalprotect I get a pop up stating "The network connection is unreliable and GlobalProtect reconnected using an alternate method......". This did not appear before and was not present on 5.2.4. We need version 5.2.5 for O365 split tunneling, there is an issue using 5.2.3 and 5.2.4.
I have noticed I'm connecting as SSL even though the gateway is configured for "enable Ipsec" and the rule has Ipsec in it's app field.
Is there a way to remove this notification (having looked I can't see anything obvious)? I will shortly be pushing this client out to 3500 users.
I've noticed this (new?) setting in the GP agent app config. It doesn't appear to be documented, nor does it appear to do anything. I know from previous experiences, that certain GP features are introduced in content releases, rather than in PanOS updates, so maybe this is something "in the works" at the moment. Just thought I'd pass it along for others. If anyone comes across info on this setting, please share.
@Danross Thank you very much for pointing this out. I have several VM-300 Series running on Azure and AWS, allowing UDP port 4501 on the Security Group of the External Interface removed the warninglogs/messages for me. Is there any way we can get Palo Alto to add this into the documentation for others that will encounter said error?
The solution from Reddit was just for cases, when gateway was on private (loopback) address and NAT was only configured for TCP 443 and not UDP 4501 (for ESP over UDP). And it wasn't U-turn NAT.
I guess there remains an open issue that option which should disable notification about fallback from IPSEC to SSL doesn't disable it even in version 5.2.6? And I believe this option was introduced only in 5.2.5?
The main question is; have you noticed that clients previously connecting over IPSEC now connect only over SSL?
Issue: Notification on GP client version 5.2.6 (The network connection is unreliable and global protect reconnected using an alternate method. You may experience slowness when accessing the internet or business application)
RCA: Global Protect are receiving notification when the connection falls back from IPSEC to SSL even after disabling the 'display IPSEC to SSL fallback notification' in the portal app configuration
Workaround: Till the fixed version is released need to disable the IPSec tunnel in the gateway in GP 5.2.6 or downgrade to GP 5.2.4 where the notification feature is not available.
We maybe expect the fix on 5.2.7.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!