After deploying GlobalProtect with pre-logon enabled, clients running a bluecoat user agent (bcua) experience intermittent connectivity issues. A continous ping from the client to internal resources shows successful replies but after 40 - 50 seconds, the pings begin to time out. Connection will then get reestablished after a few minutes and the behavior will loop.
Diagnosis
The bcua creates a tunnel to Symantec Web Security Service (WSS) which means GP traffic is also tunneled. This causes intermittent connectivity.
This can be verified by running a packet capture on the client machine.
A few other ways to verify this is the case:
Check the client's public IP address; you can do this by doing a google search of "whats my ip address"
Verify if this is the IP address from the client's ISP or whether it belongs to Symantec. I used arin[dot]net to verify. If you get a Symantec IP address that would be an indication that a tunnel has been created to Symantec.
On the firewall, run the following commands as shown in the screenshot:
Resolution
Symantec is aware of this issue and has provided a workaround in this link.
Once the changes have been made, verify the IP seen by the firewall. This should be a non-symantec IP and connectivity should now be stable.