GlobalProtect App notification: The network connection is unreliable

GlobalProtect App notification: The network connection is unreliable

57670
Created On 03/03/21 22:57 PM - Last Modified 12/17/21 03:10 AM


Symptom
  • A user gets the following message while connected to the GlobalProtect App: "The network connection is unreliable and GlobalProtect reconnected using an alternate method. You may experience slowness when accessing the internet or business applications". 
                                                                User-added image
 
  • A degradation of the performance might or might not be noticed.


Environment
  • Palo Alto Firewall
  • Any PAN-OS.
  • GlobalProtect App version 5.2.5


Cause
This message is triggered due to a new feature implemented in the GlobalProtect App version 5.2.5 to improve user experience and provide friendly, informative connectivity error messages.

Whenever GlobalProtect detects that the IPsec connection is unreliable, the user should be notified so that the user is aware that there might be some performance degradation.

More details about this feature can be found in the following document: Improved Connectivity Error messages for the GlobalProtect App

 


Resolution

1. In GlobalProtect client version 5.2.5 there is no configurable setting to allow users to disable the display of this notification. No action is required if there is no degradation of performance when falling back from IPSec to SSL, but the user is informed that a fall back from IPSec to SSL took place.

2. Consider choosing SSL as the connection method by disabling IPSec, which will prevent a fallback event from taking place, and therefore no notification will be generated:
  • Disable "Enable IPSec" on the gateway side configuration under: GUI:Network > GlobalProtect > Gateways > [gateway-config] > Agent > [agent-config] > Tunnel Settings.
3. If IPSec remains enabled and a fallback from IPSec to SSL is not expected to happen then ensure that port 4501 (UDP encapsulated ESP packet) used for IPSec connection is not blocked.


Additional Information
How to Confirm if GlobalProtect Tunnel is Using IPSec or SSL?

How to detect when Global Protect client fails to establish IPSec VPN tunnel with the GP Gateway


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Uh1CAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language