- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-10-2024 09:15 PM
Hello everyone,
I'd want to seek your guidance on a matter that we're now dealing with. So, last year, around the third week of December, we upgraded the firmware of PA-3020 from 9.1.15 to 9.1.17 as per the advisory of Palo Alto. So far, no issues have been reported following the upgrade, but after a while we have discovered an issue regarding on GlobalProtect (currently on 6.1.0) where some of our users are having difficulties connecting.
The error displayed is 'Your GlobalProtect session has been disconnected due to network connectivity issues or session timeouts.' This problem occurs after the user has successfully connected; however, after a few seconds, the error appears. To establish a connection, we need to disconnect and reconnect multiple times—approximately 5-10 times—before successfully connecting and gaining access to our system. Please refer to the image below for a sample of the error.
After that, we looked for knowledge base articles about this issue and came across this one. It advises us to upgrade to a different GlobalProtect version other than 6.1.x, so we attempted updating to 6.2.0 and 6.2.2, but encountered more issues. As a result, we reverted back to 6.1.0.
We tried various methods, such as uploading the techsupport file to Palo Alto's AutoAssistant Tool, and discovered some information about firewall configuration that attracted my eye. It is about High Resource Utilization. Please see the image below.
As stated on the image, this may cause for the new connection requests to fail and the existing once to encounter slowness when accessing the web. So, in order to resolve this issue, we will be trying to use this KB to lower the usage from 94 to 90. We will be performing this later. So for the meantime, I have come across this LIVEcommunity post that is experiencing the same issue, the solution they have done is to rollback from their old version of PAN-OS. Our concern being, we cannot revert back to the old PAN-OS version because of PAN-OS Root Certificate Advisory provided above.
May I know if this is a known issue/bug for PAN-OS 9.1.17 on PA-3000 Series?
Thanks and Best Regards,
Marlo
01-15-2024 05:20 AM - edited 01-15-2024 05:22 AM
GlobalProtect instability is in all latest versions.
Downgrade to 9.1.16-hx
Enable IPSec reduces the issue and it is always best to have it enabled because then GlobalProtect encapsulates traffic into UDP instead of TCP.
IPSec offers better performance and don't have TCP meltdown problems.
IPSec requires UDP/4501 to be permitted.
Global Protect Client disconnect Issues after upgrading to Pan-OS 11.1.0
https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-client-disconnect-issu...
GlobalProtect Connection Issues in PAN-OS 10.2.7-h3
https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-connection-issues-in-pa...
PAN OS 9.1.17 Global Protect Issues
https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-17-global-protect-issues/t...
01-11-2024 11:35 PM
Hi Marlo,
I got same issue on PA-3000 Series. So can solved this issue revert back to 6.1.0? Thank you.
Regards,
Lide
01-11-2024 11:51 PM - edited 01-11-2024 11:55 PM
Hi Lide,
We have already reverted back to 6.1.0, but some users are still encountering the same issue There was another thread that suggested to revert/downgrade the OS version of the firewall. Kindly refer here: https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-17-global-protect-issues/t...
The thing about reverting of the firewall means we will be under the target version of the firewall to mitigate the issue about PAN-OS Root and Default Certificate and it might cause another problem.
Thank you and Regards,
Marlo
01-15-2024 12:02 AM - edited 01-15-2024 12:03 AM
Hi Marlo,
Last week, I did "enable ipsec"(It was must allow UDP: 4501 if you have other firewall in front of PA). The issue was reduced even not happen again.
Regards,
Lide
01-15-2024 05:20 AM - edited 01-15-2024 05:22 AM
GlobalProtect instability is in all latest versions.
Downgrade to 9.1.16-hx
Enable IPSec reduces the issue and it is always best to have it enabled because then GlobalProtect encapsulates traffic into UDP instead of TCP.
IPSec offers better performance and don't have TCP meltdown problems.
IPSec requires UDP/4501 to be permitted.
Global Protect Client disconnect Issues after upgrading to Pan-OS 11.1.0
https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-client-disconnect-issu...
GlobalProtect Connection Issues in PAN-OS 10.2.7-h3
https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-connection-issues-in-pa...
PAN OS 9.1.17 Global Protect Issues
https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-17-global-protect-issues/t...
01-18-2024 05:13 PM - edited 01-18-2024 05:19 PM
Apologies for the delays; we need to go through approval for downgrading the firewall.
It is confirmed that by downgrading from 9.1.17 to 9.1.16-h3 resolves the GlobalProtect issue.
Cheers,
Marlo
02-06-2024 02:12 AM
Hello @Raido_Rattameister
Is there an Pan-Issue-ID for this?
I could not find it searching through known and adresses issues for 9.1.17 or 10.1.11/12.
These stability issues hit us rather hard on some appliances (some not even affected), and while in some areas we have our reasons to keep IPSec shut off, we would like to keep Firmware up-to-date to mitigate other issues (SNMP / PAN-217208).
Regards, Alex
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!