GlobalProtect Issue on PA-3020 9.1.17

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect Issue on PA-3020 9.1.17

L1 Bithead

Hello everyone,

 

I'd want to seek your guidance on a matter that we're now dealing with. So, last year, around the third week of December, we upgraded the firmware of PA-3020 from 9.1.15 to 9.1.17 as per the advisory of Palo Alto. So far, no issues have been reported following the upgrade, but after a while we have discovered an issue regarding on GlobalProtect (currently on 6.1.0) where some of our users are having difficulties connecting.

 

The error displayed is 'Your GlobalProtect session has been disconnected due to network connectivity issues or session timeouts.' This problem occurs after the user has successfully connected; however, after a few seconds, the error appears. To establish a connection, we need to disconnect and reconnect multiple times—approximately 5-10 times—before successfully connecting and gaining access to our system. Please refer to the image below for a sample of the error.

 

Marlo_Perez_0-1704948532651.png

 

After that, we looked for knowledge base articles about this issue and came across this one. It advises us to upgrade to a different GlobalProtect version other than 6.1.x, so we attempted updating to 6.2.0 and 6.2.2, but encountered more issues. As a result, we reverted back to 6.1.0.

 

We tried various methods, such as uploading the techsupport file to Palo Alto's AutoAssistant Tool, and discovered some information about firewall configuration that attracted my eye. It is about High Resource Utilization. Please see the image below.

 

Marlo_Perez_2-1704949007599.png

 

As stated on the image, this may cause for the new connection requests to fail and the existing once to encounter slowness when accessing the web. So, in order to resolve this issue, we will be trying to use this KB to lower the usage from 94 to 90. We will be performing this later. So for the meantime, I have come across this LIVEcommunity post that is experiencing the same issue, the solution they have done is to rollback from their old version of PAN-OS. Our concern being, we cannot revert back to the old PAN-OS version because of PAN-OS Root Certificate Advisory provided above.

 

May I know if this is a known issue/bug for PAN-OS 9.1.17 on PA-3000 Series?

 

 

Thanks and Best Regards,

Marlo

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

GlobalProtect instability is in all latest versions.

Downgrade to 9.1.16-hx

 

Enable IPSec reduces the issue and it is always best to have it enabled because then GlobalProtect encapsulates traffic into UDP instead of TCP.

IPSec offers better performance and don't have TCP meltdown problems.

IPSec requires UDP/4501 to be permitted.

 

Global Protect Client disconnect Issues after upgrading to Pan-OS 11.1.0
https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-client-disconnect-issu...

GlobalProtect Connection Issues in PAN-OS 10.2.7-h3
https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-connection-issues-in-pa...

PAN OS 9.1.17 Global Protect Issues
https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-17-global-protect-issues/t...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

6 REPLIES 6

L1 Bithead

Hi Marlo,

    I got same issue on PA-3000 Series. So can solved this issue revert back to 6.1.0? Thank you.

Regards,

Lide

Hi Lide,

 

We have already reverted back to 6.1.0, but some users are still encountering the same issue There was another thread that suggested to revert/downgrade the OS version of the firewall. Kindly refer here: https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-17-global-protect-issues/t...

 

The thing about reverting of the firewall means we will be under the target version of the firewall to mitigate the issue about PAN-OS Root and Default Certificate and it might cause another problem.

 

 

Thank you and Regards,

Marlo

 

Hi Marlo,

    Last week, I did "enable ipsec"(It was must allow UDP: 4501 if you have other firewall in front of PA). The issue was reduced even not happen again.

截圖 2024-01-15 下午3.54.19.png

Regards,

Lide

Cyber Elite
Cyber Elite

GlobalProtect instability is in all latest versions.

Downgrade to 9.1.16-hx

 

Enable IPSec reduces the issue and it is always best to have it enabled because then GlobalProtect encapsulates traffic into UDP instead of TCP.

IPSec offers better performance and don't have TCP meltdown problems.

IPSec requires UDP/4501 to be permitted.

 

Global Protect Client disconnect Issues after upgrading to Pan-OS 11.1.0
https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-client-disconnect-issu...

GlobalProtect Connection Issues in PAN-OS 10.2.7-h3
https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-connection-issues-in-pa...

PAN OS 9.1.17 Global Protect Issues
https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-17-global-protect-issues/t...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Apologies for the delays; we need to go through approval for downgrading the firewall.

 

Hi  @Raido_Rattameister,

 

It is confirmed that by downgrading from 9.1.17 to 9.1.16-h3 resolves the GlobalProtect issue.

 

 

Cheers,

Marlo

 

 

Hello @Raido_Rattameister 

Is there an Pan-Issue-ID for this? 
I could not find it searching through known and adresses issues for 9.1.17 or 10.1.11/12.
These stability issues hit us rather hard on some appliances (some not even affected), and while in some areas we have our reasons to keep IPSec shut off, we would like to keep Firmware up-to-date to mitigate other issues (SNMP / PAN-217208).

Regards, Alex

  • 1 accepted solution
  • 4436 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!