High Data Plane Utilization During Business Hours

Hello,

We are experiencing an issue that is becoming hard to isolate, our end users noticed network slowness about a few days ago.

During Isolation and investigation it led us to our NGFW PA-3260's.

This causing extremely High latency when reaching out from our Inside to Internet interfaces.

Resource utilization (%) during last 24 hours:
session (average):
9 7 4 3 3 3 3 3 3 3 3 3 3 4 5
5 7 10 11 11 11 11 11 11
session (maximum):
10 9 6 4 5 3 3 3 4 4 4 4 4 5 5
6 9 12 12 13 13 13 14 13
packet buffer (average):
5 1 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 3 10 17 17 16 24 34
packet buffer (maximum):
60 22 3 3 1 1 1 1 1 1 1 1 1 3 2
3 3 75 77 76 76 77 77 77
packet descriptor (average):
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
packet descriptor (maximum):
3 2 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 1 1 2 2 2 1 1
packet descriptor (on-chip) (average):
20 12 7 7 6 6 6 6 6 6 6 6 6 6 6
6 7 11 18 19 20 20 24 31
packet descriptor (on-chip) (maximum):
100 100 100 100 60 40 56 72 49 80 34 56 54 100 91
100 99 100 100 100 100 100 100 100

Is there a way to isolate this down better to mitigate what is causing the issue.

- We have turned off SSL/TLS Decryption 

- Our Session Count is no where near MAX

- Out over bandwidth is 2Gbps, we see average of 400-500mbps with spikes up to 700mbps and more rare spikes to 1.25Gbps

show session info

target-dp: *.dp0
--------------------------------------------------------------------------------
Number of sessions supported: 2202007
Number of allocated sessions: 230274
Number of active TCP sessions: 51912
Number of active UDP sessions: 176844
Number of active ICMP sessions: 61
Number of active GTPc sessions: 0
Number of active HTTP2-5gc sessions: 0
Number of active GTPu sessions: 0
Number of pending GTPu sessions: 0
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 41
Number of active SCTP sessions: 0
Number of active SCTP associations: 0
Number of active PFCP sessions: 0
Number of active IMSI sessions: 0
Session table utilization: 10%
Number of sessions created since bootup: 135467641
Packet rate: 112327/s
Throughput: 624559 kbps
New connection establish rate: 1047 cps
--------------------------------------------------------------------------------
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session delayed ack timeout: 25 millisecs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
SCTP default timeout: 3600 secs
SCTP timeout before INIT-ACK received: 5 secs
SCTP timeout before COOKIE received: 60 secs
SCTP timeout before SHUTDOWN received: 30 secs
5GC delete timeout: 15 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, SCTP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Session accelerated aging: True
Accelerated aging threshold: 80% of utilization
Scaling factor: 2 X
--------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
Software Cut Through: False
Run-to-completion mode: False
Tunnel acceleration: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
Reject TCP SYN with different seq/options: True
Teardown session if forward zone changes: False
ICMP Unreachable Packet Rate: 200 pps
--------------------------------------------------------------------------------
Application trickling scan parameters:
Timeout to determine application trickling: 10 secs
Resource utilization threshold to start scan: 80%
Scan scaling factor over regular aging: 8
--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop
--------------------------------------------------------------------------------
Pcap token bucket rate : 10485760
--------------------------------------------------------------------------------
Max pending queued mcast packets per session : 0
--------------------------------------------------------------------------------

show running resource-monitor ingress-backlogs

Fri Nov 21 10:35:00 2025

-- SLOT: s1, DP: dp0 --
USAGE - ATOMIC: 17.87109375% TOTAL: 94.140625%

TOP SESSIONS:
SESS-ID PCT GRP-ID COUNT Special Notes
651048 12% flow_fastpath 132
300786 2% flow_fastpath 23

SESSION DETAILS
SESS-ID PROTO SZONE SRC SPORT DST DPORT IGR-IF EGR-IF TYPE APP
300786 6 GP_VPN 10.185.72.224 62896 141.185.3.200 1433 tunnel.1 ethernet1/13.242 FLOW mssql-db-unencrypted
651048 6 inside 10.185.34.152 62682 199.232.214.172 80 ethernet1/13.242 ethernet1/24.1000 FLOW ms-update

show system resources

top - 11:35:40 up 1 day, 19:01, 1 user, load average: 1.15, 1.04, 0.74
Tasks: 246 total, 1 running, 245 sleeping, 0 stopped, 0 zombie
%Cpu(s): 2.2 us, 1.5 sy, 0.0 ni, 94.8 id, 0.0 wa, 0.7 hi, 0.7 si, 0.0 st
MiB Mem : 15709.9 total, 271.7 free, 5597.4 used, 9840.9 buff/cache
MiB Swap: 7.8 total, 0.0 free, 7.8 used. 10939.8 avail Mem

Model PA-3260
Serial # REDACTED
Software Version 11.1.10-h4
GlobalProtect Agent 6.2.8-c263
Application Version 9041-9768 (11/18/25)
Threat Version 9041-9768 (11/18/25)
Antivirus Version 5378-5904 (11/21/25)
Device Dictionary Version 201-666 (11/17/25)
WildFire Version 1032891-1037129 (11/21/25)
URL Filtering Version 20251121.20276
GlobalProtect Clientless VPN Version 98-260 (05/22/23)
Time Fri Nov 21 10:22:11 2025
Uptime 1 days, 17:48:18
Advanced Routing off
Duplicate IP Disabled
Plugin DLP dlp-5.0.0
Device Certificate Status Valid