GlobalProtect Connection Issues in PAN-OS 10.2.7-h3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect Connection Issues in PAN-OS 10.2.7-h3

L0 Member

Hello Friends, 
What troubleshooting steps can I take to address the GlobalProtect connectivity issues, including the "Your GlobalProtect session has been disconnected due to network connectivity issues or session timeouts" notification and the SSL VPN GlobalProtect connected status with 0 bytes traffic after upgrading PAN-OS to version 10.2.7-h3?
Notes : The installed GlobalProtect version on the Windows OS is 6.2.2-259.

Thank you. 

23 REPLIES 23

L1 Bithead

We are plagued with this issue.

We are using IPSec but we have Portal and Gateway on the same firewall.

We initially upgraded to 10.2.7-h3 and were hit by the bug.

The workaround of disabling IPv6 did not work.

We then downgraded to 10.2.6 which again did not work.

We have now upgraded to 10.2.8 which again has not worked.

This is just frustrating for all our users and Tech Support still has no solution for this!!!

For me the only option was to downgrade to 10.2.7 (without any Hotfix). Other option is to disable ipv6 on the GP virtual adapter or inside the Tunnel config. Disabling ipv6 on the LAN/WLAN Adapter did not work. 10.2.6-h1 might have the fix in it as well - but I did not tested that.

Oh - an for me TAC replied that the issue will be fixed in 10.2.7-h6 - but no ETA yet

L0 Member

I had this issue... If you go into the Portal App Settings and change the "IPv6 Preferred" setting to "No" this has resolved the issue, with no need to bother the users, push a GPO, or wait for an upgrade to fix.

 

Absolutely agree. IPv6 "fix" does not work. We have also found that reverting the GP client all the way back to v 5.2.8 will work around the issue, but I would not recommend this approach, so we too will be downgrading, seems to be the best bet.

I have had the "IPv6 Preferred" setting to "No"  set way before this issue appeared   10.2.8 went to preferred  Does anyone have successful combinations or unsuccessful combinations to report.

I have upgraded my panorama already (Palo Alto Networks Security Advisories / CVE-2024-2433)  but leery to push to my PANs 

Manny C
Sr. Network Engineer

L2 Linker

Does anyone have an incident number for this issue.

The one listed earlier PAN-234929 isn't correct for this issue with GP and IPSEC and timeout issues

It would make it easier to find it in the release notes

Manny C
Sr. Network Engineer

@MannyCosta There is no issue number for this. It is just a note on the PAN OS Preferred Release page. The number you mentioned is for ACC issue.

L1 Bithead

Finally we managed to solve this. What worked for us is:

 

Upgrade to PANOS 10.2.8

AND

Disable IPv6 in the PANGP Virtual Network Adapter

AND

In the Portal App Settings > change the "IPv6 Preferred" setting to "No" 

 

It was really painful couple of weeks and Tech Support kept on denying that the bug exists in 10.2.8 as well. Hence we spent weeks in just trial and error! 

  • 8015 Views
  • 23 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!