This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

mountainfun
L0 Member
In response to fb-pan

‎04-16-2021 06:58 PM - edited ‎04-16-2021 10:35 PM

Still seeing this after activating 5.2.6 from PAN-OS 8.1.6 and running GlobalProtect Version 5.2.6-87.

 

To change this on the Portal, go to Network tab>GlobalProtect>Portals>choose the Portal>from GlobalProtect Portal Configuration screen, click on Agent>select relevant option under Configs>click on App tab>the option is called "Display IPSec to SSL Fallback Notification" by default this is set to Yes, change to No>click on OK>click on OK again>repeat for any other Portals where this change is required>Commit changes to Panorama or to the Firewall as required to suppress message as needed.


As mentioned from user Emr_1 to suppress this message, this needs to be disabled from the Gateway, from Network tab>GlobalProtect>Gateways>Agent>under Tunnel Settings tab, uncheck the Enable IPSec>repeat for any other Gateways where this change is required>Commit changes to Panorama or to the Firewall as required to suppress message as needed.

 

Another point to consider, which I ran into, is whether or not you are having issues with GlobalProtect traffic dropping IPSec connections, using UDP Port 4501. 

When GlobalProtect client will try to connect, first, it will try to connect over IPSec, using UDP, the faster protocol, if this fails, then GlobalProtect will fallback to SSL, over TCP, the slower protocol. The message that is shown, is because GlobalProtect client is failing back from IPSec to SSL for the VPN connection.

 

Performed a collect of GPClient logs from Windows laptop and searched in PANGPS.log for "Trying to do IPsec" found that this was generating failed to receive keep alive, then followed by Disconnect udp socket, then few lines down we see ipsec failed to start then we see IPSec fallback reason is IPSec connection failed.

 

Upon further investigation on the Traffic Monitor, we saw that traffic to UDP port 4501 is being denied for the GlobalProtect security policy, as a result, the IPSec Tunnel will fail and fallback to SSL will occur.

 

Proceeded to modify the GlobalProtect Security Policy that we had in place, added in the IPSec application, then changed the GlobalProtect>Gateways>Agent>under Tunnel Settings tab, re-checked the Enable IPSec>Committed changes.

 

This time, when my client connected to the GlobalProtect VPN, I saw IPSec as the Connection type, no longer seeing Notification Warning message. Repeated the same process for my other Gateways, left Portal to have Notification for Fallback set to No and this worked.

 

Need to keep in mind why the message is appearing, as sometimes this can be an indication of an underlying configuration issue that you should focus on, so as to provide an optimal user experience. Thanks to Harish Krishan, Technical Support Engineer from Palo Alto for help working through this scenario. 

 

 

 

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks