About inzamam.shahid

Hi,    Thanks for the info. I am not sure why it is only this website, but I think I have found out where the issue may lie.    I think it may be a routing issue in the network, which needs to be corrected. I will let you know if that resolves the issue.      ... View more

Sorry for the delay in my reply.   I do not think this is ISP issue. As there are two firewalls for two sites and the other site with the same ISP is working.   I have uploaded the following snips:   tx_capture - is the transmit packet capture fw_capture - is the firewall packet capture rc_capture - is the recieve packet capture       ... View more

I think I resolved this now finally. There is no natting happening over the VPN. Natting is happening after the traffic has gone down the VPN and then going out the external interface of the FW.    To resolve this I had to do numerous packet captures and have dropped the VPN at either side to 1200 MTU and set service to any on the FW that is directly connected to the Aruba controller.  ... View more

Hello,    I have done some PCAPS on this and can see that the three-way handshake does complete. After the three way handshake the connection is being reset from the destination, the three way handshake happens again completes and the dest then resets the connection again.  I am trying to get a capture from one of the working sites so I can compare how the packets are being handled, but do you know why trying to send traffic down a VPN tunnel why would the dest reset the connection?     ... View more

The bug ID is:  98699   let me know if you need any other info ... View more

PAN TAC have advised that this is a bug in the code and is due to be fixed in version 7.1.6 🙂 ... View more

This is what I am failing to understand on why it is hitting that deny rule. That deny rule is number 800 in the rule set.   The commvault rules are 600 in the rule set. In the screenshot, that I provided "commVault Media Agent to Ping" & "New Backup Networks" are basically any any rules just set to specfic IP's. They let any application over any service go through. I have checked the correct zones and IP's are in the rule.   When I do a a security policy match from the CLI, the rule matches rule called "NEW BACKUP NETWORKS-app" so I do not understand why unknown-tcp is being hit.     ... View more

  Please see traffic log and the rules that have been created for this. Please let me know if you guys believe this is correct and if the support route still needs to be followed. ... View more

Thanks for the reply again. We have tested with IPsec enabled and the performance improved significantly.    This, however, does not solve the problem as if the client cannot establish an IPsec connection, it will still use SSL as a fall back method and then the client will still experience the issues reported. I have now raised this upto TAC as I see no reason why SSL-VPN should de-grade performance, have not come across anything on the live community that supports this and have not found an PAN guide that supports this either.   I will let you guys know when the issue has been sorted.  ... View more

I have been doing some more testing on this and I do not think QoS may not be the solution. I haven't had to apply any QoS to other global protect deployments.    I tested with another SSL VPN solution "SoftEther VPN" which is no longer in development, but is fine to use in a test. I thought this would be a good test of QoS, as surely this SSL VPN would suffer the same issues.    I did smiliar test with the Softether VPN so moving big files from my laptop, downloading and streaming video. Here is the results from my tests:   No VPN: Download 62 Mbps Upload 18.5 Mbps  SoftEther: Download 59.6 Mbps Upload 15.9 Mbps Global Protect: Download: 35 Mbps Upload 16 Mbps   As you can see, the upload seems fairly good, as it always has, but the download is quite significant. Around 3.8% overhead on the SoftEther connection, which I'd expect as normal overhead for a VPN. However, the Global protect shows around 43.5% losses / overhead, which seems high.   Any file transfer, downloads and video streaming with SoftEther VPN remians steady with no drops, and no large difference between ethernet speed and PANGP adapter and it is not having any retransmission problem either.   With this info do yout think we still need to implement QoS on the firewall? I have come across the following info with regards to speeds of SSL VPN:   https://live.paloaltonetworks.com/t5/Learning-Articles/Why-is-GlobalProtect-Slower-on-SSL-VPN-Compared-to-IPsec-VPN/ta-p/61920   Would like to know your thoughts on this inlight of the above info.    ... View more

Thanks for the reply.   I have dropped the MTU sizess at both ends of the tunnel to no ovail. I have tried 1350, 1300 & 1200. The same values were set at both ends of the tunnel each time.   I looked into the TCP MSS feature and it looks like it needs to be applied to the physical interface and not the tunnel. Just to clarify are you suggesting that we set an MTU size like 1300 on the tunnels and then set TCP MSS to 1500 to the external interface with the GP config. ... View more

Thank you for the reply. Can you explain the setting for setting gurantees for the VPN connection is there any guide that explains how to set this up exactly?   I am also considering the QoS setup, but just want to know which one would work better. ... View more