Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GlobalProtect and CPU usage

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect and CPU usage

L1 Bithead

I am a software developer, using GlobalProtect to connect to my customer's VPN. Everything was working OK until recent 2 or 3 weeks, when I started to notice, that after GP connection is established, CPU usage rises to 100%. Fans work at full speed and it is almost impossible to work due to slowness. After I disconnect, things go back to normal after few minutes (sometimes I even have to reboot to get rid of 100% CPU usage). I checked my PC for viruses and malware and did not find anything suspicious. Can anyone please give my any suggestion on how to solve this problem (reinstalling Windows is the last option, because I have lots of software installed).

 

Regards, Andrej

6 REPLIES 6

L6 Presenter

Which process is actually causing the CPU to go to 100%? The GP connection itself should not do that. However, the customer's GP VPN configuration could be forcing HIP security checks that kick off AV scans, software updates, etc. (as well as it could be your own AV trying to scan a newly connected network share from the customer, or a GP client update download).

Hi Adrian. Thanks for reply.

I do not know exactly which process is causing CPU to go to 100%.

If I check CPU usage before I establish VPN connection, it is about 15%.

After establishing VPN connection, CPU usage is 100% and processes that consume most of it are "System" and "Service Host: Network Store Interface Service".

I also tried with my AV temporary disabled, but no noticeable changes.

No client update is being performed (I have latest client version installed).

Here are the "before connection" and "after connection" screenshots of the Task Manager ordered by CPU usage:

 

before:

 

before  connectionbefore connection

 

after:

 

after connectionafter connection

 

Can customer check any log on the server side to find out what is going on?

Regards, Andrej

L6 Presenter

For your TaskManager... there use to be an option to show all users, it might be hiding there. Not sure... not really a Windows user.

 

From the end user GP interface, you can select GlobalProtect from the Taskbar. Click the menu and Settings -> Troubleshooting -> Collect Logs. This will dump out a GlobalProtectLogs.zip file of all the recent log files. The most relevant will be the PanGPS.log file which will show all the GP client discovery, configuration, and connection steps. The pan_gp_event.log file might also be useful. Be aware that these logs are quite extensive and I am not aware of any good debug documentation for understanding the contents/expected responses.

 

If you have the ability, you may want to try removing/reinstalling the GP client and see if that makes a difference. You could also try pointing a browser at your company's GP Portal address (i.e. https://vpn.example.com) and make sure you download the latest GP version the Portal is trying to install by default.

Cyber Elite
Cyber Elite

@azalar,

In your screenshot you have the CheckPoint VPN service listed in addition to Citrix Secure access. Do you leave all of these running at the same time when you connect to GlobalProtect?

 

It's odd that you aren't seeing GlobalProtect listed at all in task manager to check CPU utilization, but it is possible that this is a permission issue. I kind of agree with @Adrian_Jensen that this is most likely not being caused directly by GlobalProtect, but rather that something else installed is behaving poorly when you add GlobalProtect into the mix. This could be your own antivirus solution, or it could be a combination of your multiple VPN agents all not playing nicely together.

Just as an aside, if your working with different clients in a consulting capacity I would highly recommend you utilize a new VM for each client. Perform work for the client directly in the VM and only in that VM, and you never have to worry about the interoperability of everything working together nicely. It's also going to solve a lot of potential legal questions further down the road than comingling data on the same machine from multiple different clients.

Thank you for the answer. Yes,  I do have Citrix Secure Access also running on the same computer, although the connection over Citrix is not established while I connect to GP. I realize this might be the reason and I stopped Citrix process, but no difference. Besides, all this software was installed on this PC for over a year and it was performing well until few weeks ago. I did not install any additional SW in the meantime.

Thanks for advice on VM, I shall switch to that.   

L0 Member

We have the same issue.  Problem started occurring with the August Cumulative update (KB5041585), and continues with the September Cumulative Update.  

Able to replicate the problem on a clean Windows 11 23H2 machine with the following apps:
- CrowdStrike

- Citrix Secure Access

- Global Protect

- WSL

 

Removing any one of them resolves the problem.  We're in the middle of a PoC with Palo Alto (with a plan to migrate away from Citrix SA), so need both installed side-by-side (although not both running) for now. 

 

Thanks

James

  • 1139 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!