GlobalProtect Connection Issues in PAN-OS 10.2.7-h3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect Connection Issues in PAN-OS 10.2.7-h3

L0 Member

Hello Friends, 
What troubleshooting steps can I take to address the GlobalProtect connectivity issues, including the "Your GlobalProtect session has been disconnected due to network connectivity issues or session timeouts" notification and the SSL VPN GlobalProtect connected status with 0 bytes traffic after upgrading PAN-OS to version 10.2.7-h3?
Notes : The installed GlobalProtect version on the Windows OS is 6.2.2-259.

Thank you. 

11 REPLIES 11

L0 Member

Hi, we have the same Problem since update to 10.2.7-h3. It happens with all Windows Versions (7 / 10 / 11) and only with windows.

With Mac OS there is no Problem.

We try different GlobalProtect Versions but always the same problem. Users need up to 20 attempts to get a working connection.

Our seller have two other customers with the same Problem since two weeks.

 

A solution would be nice!

L1 Bithead

This may not be related but after upgrading to the same version my HIP objects and policy match but the security policy that uses that HIP policy won't match. Maybe see if you're seeing the same issue preventing your GP clients from connecting. I don't have a work around yet other than removing the HIP profile from the security policy for GP connections.

L0 Member

Today we were able to narrow down the error.

It's definitely a problem with SSL and Windows only. On Mac OS everything work fine - no problems.

Now we made a security profile WAN to WAN with UDP 4501 and https, Then we enable IPSec in GlobelProtect (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPY1CAO).

Now, the connection is established with IP-Sec and the Problems are gone.

 

We hope, that Palo fix this Problem.

 

L2 Linker

Multiple complains from our customers about this. I hope PAN is aware of the issue.

L1 Bithead

I had the same issue when I upgraded from 9.1.14 to 9.1.17. The issue got solved today when I downgraded to 9.1.14-h7.  H& has the 2024 certificate.  This is definitely a bug.

L0 Member

I have the same issue. I'm considering a downgrade since it started after we installed 10.2.7-h3.

Had this exact same problem after 9.1.17 upgrade... SSL GP unstable (connecting/reconnecting) and when connected, some clients not being able to access resources, 0 bytes/packets in.

While going thru the GP logs, found this: "--Too many outstanding keepalive and no response from GP gateway, disconnect tunnel"

 

Opened a TAC case and waiting for the response.

 

By the way, in our case, the workaround was to enable IPSec under Global Protect Gateway for the locations that didn't have yet. The locations using IPSec already had not reported issues.

Cyber Elite
Cyber Elite

I always enable IPSec under GlobalProtect gateway.

If IPSec checkbox is checked then GlobalProtect Agent will try 3 times to connect over udp/4501 and if it fails then will fall back to SSL protocol.

 

In latest PANOS releases (9.1.17, 10.2.7) SSL seems to have instability issues (in addition to regular tcp meltdown etc that SSL inside SSL can bring along).

 

I have noticed that if GlobalProtect gateway runs on natted IP then it is way higher probability that connection will fail back to SSL compared to running GlobalProtect gateway directly on wan interface.

 

It is convenient to run Gateway on DMZ interface if multiple ISPs are in use and DNAT tcp/443 and udp/4501 to DMZ IP but instability issues in latest PANOS forces to set up dedicated Gateway for every ISP interface to reduce risk of fallback to unstable SSL.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

For me, the temp fix was in their upgrade notes: "Note: GlobalProtect tunnel might disconnect shortly after being established when SSL is used as a transport protocol. Workaround: Disable Internet Protocol Version 6 (TCP/IPv6) on the PANGP Virtual Network Adapter." It makes it sound like the connection might bounce once, but for us it bounced endlessly. We could try steps to get the connection to work: like rebooting 3 times, removing the portal and readding it or refreshing the connection. It would work if it got a working connection, but if the connection was stopped/started the issue would happen again.  We have 200+ remote workers this affected, and we couldn't disable ipv6 for them all remotely. We had to roll back to 10.2.4-h4 from 10.2.7-h3. We talked to support, there is a private bug doc on it. The targeted fix versions include 11.0.5, 11.2.0, 10.2.8, 10.2.11, and 10.1.14., but 10.2.8 is not scheduled for around 2/8/24 and that's not a guaranteed date.

L1 Bithead

TAC replied that is confirmed to match PAN-234929 in 9.1.17, they are still working on a fix and the ETA is yet to be provided.

L0 Member

Is this a problem even if we have IPv6 disabled on the firewall?

  • 2664 Views
  • 11 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!