About MattShuter

What OS version are you running on your firewall?   The issue was reportedly fixed in 10.1.7 for various models.    Prior to that, a shutdown/power off of the firewall resolved the issue, as recommended by support.    *NOT a reboot*   As noted, if that is not possible to upgrade or pull the power at this time, you could increase the timeout period to double what is needed. ... View more

fixed in 10.1.7 for some models...as noted in release notes: "(PA-3200 Series, PA-5200 Series, and PA-5400 Series firewalls only ) Fixed an issue where GlobalProtect IPSec tunnels disconnected at half the inactivity logout timer value. ... View more

5220s, not in HA pairs..  running at separate sites.   Will shutdown my second box this weekend I think. ... View more

Similar to @frankis ..  on my support ticket, full shutdown, don't reboot...  so last night, shutdown one box, pulled power plugs for about 5 minutes.... plugged them back in and powered it back up... currently, my laptop is connected via the VPN for over 5 hours without disconnecting. ... View more

Agree on the issue occurring since upgrading our firewalls to 10.1.6.    Issue was not present prior to upgrading 10.1.6.    Immediately after 10.1.6 upgrade, my users experienced this issue.  No change in GP client version as part of the upgrade.   Currently using 5.2.x GP branch, tested using multiple versions, included latest 5.2.12.   Issue occurs regardless of wireless/wired connection at offsite location, regardless of internet providers at offsite locations, or different internet providers connected to the firewalls themselves.   Hope to open a ticket this week with support on the issue. ... View more

I was able to get this to work, the traffic split between VPN and local internet access...realized I was using the wrong next hop address for my internet traffic ... View more

or...    how do I setup the PA200 split traffic...        internal, 10.x.x.x via the VPN        internet, 0.0.0.0 except 10.x, via the internet connection? tried two routes, but they didn't split the traffic, everything still going over the vpn...unless I didn't get the right combination of interface/route/next hop/etc. ... View more

Thanks. The internet traffic is not hitting the core switch, only the internal traffic.         Do I need to adjust my route table on the remove VPN to direct traffic to the core switch ip instead of the PA-2020?          I am going to try this to see what it does...but I don't think it will work. What if I had another device on the other side of the core switch?      a vpn concentrator, or even another PA box. Would it be possible to simply NAT (bi-directional)  the VPN traffic from public ip on PA-2020 to internal ip of other device?       remote site PA-200 public ip ---->   PA-2020 public IP ---->   (NAT) -----> PA-200 internal ip               then, internet traffic would go out via the core, pass through the content filter, and then back in... Thanks again. matt ... View more