Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GlobalProtect Connection Issues in PAN-OS 10.2.7-h3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect Connection Issues in PAN-OS 10.2.7-h3

L0 Member

Hello Friends, 
What troubleshooting steps can I take to address the GlobalProtect connectivity issues, including the "Your GlobalProtect session has been disconnected due to network connectivity issues or session timeouts" notification and the SSL VPN GlobalProtect connected status with 0 bytes traffic after upgrading PAN-OS to version 10.2.7-h3?
Notes : The installed GlobalProtect version on the Windows OS is 6.2.2-259.

Thank you. 

23 REPLIES 23

L0 Member

Hi, we have the same Problem since update to 10.2.7-h3. It happens with all Windows Versions (7 / 10 / 11) and only with windows.

With Mac OS there is no Problem.

We try different GlobalProtect Versions but always the same problem. Users need up to 20 attempts to get a working connection.

Our seller have two other customers with the same Problem since two weeks.

 

A solution would be nice!

L1 Bithead

This may not be related but after upgrading to the same version my HIP objects and policy match but the security policy that uses that HIP policy won't match. Maybe see if you're seeing the same issue preventing your GP clients from connecting. I don't have a work around yet other than removing the HIP profile from the security policy for GP connections.

L0 Member

Today we were able to narrow down the error.

It's definitely a problem with SSL and Windows only. On Mac OS everything work fine - no problems.

Now we made a security profile WAN to WAN with UDP 4501 and https, Then we enable IPSec in GlobelProtect (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPY1CAO).

Now, the connection is established with IP-Sec and the Problems are gone.

 

We hope, that Palo fix this Problem.

 

L2 Linker

Multiple complains from our customers about this. I hope PAN is aware of the issue.

L2 Linker

I had the same issue when I upgraded from 9.1.14 to 9.1.17. The issue got solved today when I downgraded to 9.1.14-h7.  H& has the 2024 certificate.  This is definitely a bug.

L0 Member

I have the same issue. I'm considering a downgrade since it started after we installed 10.2.7-h3.

Had this exact same problem after 9.1.17 upgrade... SSL GP unstable (connecting/reconnecting) and when connected, some clients not being able to access resources, 0 bytes/packets in.

While going thru the GP logs, found this: "--Too many outstanding keepalive and no response from GP gateway, disconnect tunnel"

 

Opened a TAC case and waiting for the response.

 

By the way, in our case, the workaround was to enable IPSec under Global Protect Gateway for the locations that didn't have yet. The locations using IPSec already had not reported issues.

Cyber Elite
Cyber Elite

I always enable IPSec under GlobalProtect gateway.

If IPSec checkbox is checked then GlobalProtect Agent will try 3 times to connect over udp/4501 and if it fails then will fall back to SSL protocol.

 

In latest PANOS releases (9.1.17, 10.2.7) SSL seems to have instability issues (in addition to regular tcp meltdown etc that SSL inside SSL can bring along).

 

I have noticed that if GlobalProtect gateway runs on natted IP then it is way higher probability that connection will fail back to SSL compared to running GlobalProtect gateway directly on wan interface.

 

It is convenient to run Gateway on DMZ interface if multiple ISPs are in use and DNAT tcp/443 and udp/4501 to DMZ IP but instability issues in latest PANOS forces to set up dedicated Gateway for every ISP interface to reduce risk of fallback to unstable SSL.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

For me, the temp fix was in their upgrade notes: "Note: GlobalProtect tunnel might disconnect shortly after being established when SSL is used as a transport protocol. Workaround: Disable Internet Protocol Version 6 (TCP/IPv6) on the PANGP Virtual Network Adapter." It makes it sound like the connection might bounce once, but for us it bounced endlessly. We could try steps to get the connection to work: like rebooting 3 times, removing the portal and readding it or refreshing the connection. It would work if it got a working connection, but if the connection was stopped/started the issue would happen again.  We have 200+ remote workers this affected, and we couldn't disable ipv6 for them all remotely. We had to roll back to 10.2.4-h4 from 10.2.7-h3. We talked to support, there is a private bug doc on it. The targeted fix versions include 11.0.5, 11.2.0, 10.2.8, 10.2.11, and 10.1.14., but 10.2.8 is not scheduled for around 2/8/24 and that's not a guaranteed date.

L2 Linker

TAC replied that is confirmed to match PAN-234929 in 9.1.17, they are still working on a fix and the ETA is yet to be provided.

L0 Member

Is this a problem even if we have IPv6 disabled on the firewall?

L0 Member

Hello,

 

seems to be fixed on 10.2.8 RN :

ISSUE ID
DESCRIPTION
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
 
Anyone can confirm ? 

L2 Linker

I have the same issue with PANOS 10.2.6 and global protect 6.05 and using IPSEC not ssl  and IPV4 only   

I am getting ready to upgrade PAN OS and GP client,  And now i am not sure which upgrade to do

has anyone been on PANOS 11.1x.or 11.2x for a wile and is it worth the upgrade and GPver 6.2

Any input is appreciated

Manny C
Sr. Network Engineer

I am still having the issue on 10.2.8. I opened a TAC case and this is what they replied:

 

Thank you for providing me with the time to research.
Below are my findings:
PAN GP events
02/28/2024 10:54:07:618 [Info ]: Portal login completed with address go.sg.de.o2.com and conect method of on-demand.
02/28/2024 10:54:07:625 [Info ]: Network discovery started.
02/28/2024 10:54:23:708 [Info ]: Auto Gateway login finished with address go-disi2.sg.de.o2.com and user holbem.
02/28/2024 10:54:25:401 [Info ]: SSL tunnel creation finished with Gateway go-disi2.sg.de.o2.com.
02/28/2024 10:54:25:512 [Info ]: Completed HIP Report check with Gateway go-disi2.sg.de.o2.com.
02/28/2024 10:55:18:527 [Info ]: Tunnel is down due to keep-alive timeout.
02/28/2024 10:55:18:527 [Info ]: Gateway go-disi2.sg.de.o2.com: Checking network availability and restoring VPN connection when network is available.
PAN GPS
P 805-T31647 02/28/2024 10:55:18:527 Info (1335): --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel
P 805-T31647 02/28/2024 10:55:18:527 Debug(1338): Tunnel downtime after keep-alive timeout is 54646 ms
P 805-T31647 02/28/2024 10:55:18:527 Info ( 631): VPN timeout due to keepalive, get out of ProcMonitor
P 805-T31647 02/28/2024 10:55:18:527 Debug( 646): In timeout handling, tunnel downtime is 54646 milliseconds
The logs match the known issue based on the fixed version and are 12.0.0, 11.0.5, 11.0.4, 11.2.0, 9.1.18, 11.1.2, 11.1.3, 10.2.11, 10.1.13, 10.1.14, 9.1.19, 10.1.12-h1, 10.2.7-h6, 11.0.3-h5
In 10.2.X, the fix version is 10.2.7 h6 (ETA not known yet)
Workaround:
> Remove IPV6 from the current setup or you can downgrade to 10.2.7(Working scenario)

 

removing IPv6 in the tunnel is not working for me so I need to stay on 10.2.7 (without h)

  • 14895 Views
  • 23 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!