Delay in connecting to GlobalProtect from the Windows 10 clients

Delay in connecting to GlobalProtect from the Windows 10 clients

23513
Created On 03/25/22 11:43 AM - Last Modified 09/30/23 22:00 PM


Symptom


  • GlobalProtect application takes more than 1 minute to connect
  • DNSQuery exceeds 1 minute
  • DNSQuery returns 1460
  • In PanGPS logs below, we see the following messages:
Debug(1908): 03/16/22 08:53:47:095 Already takes 53 seconds for all dns queries.
Debug(1882): 03/16/22 08:53:48:148 DnsQuery returns 1460
Debug(1908): 03/16/22 08:53:51:151 Already takes 57 seconds for all dns queries.
Debug(1882): 03/16/22 08:53:52:191 DnsQuery returns 1460
Debug(1890): 03/16/22 08:53:55:197 Retry DnsQuery.
Debug(1908): 03/16/22 08:53:55:197 Already takes 61 seconds for all dns queries.
Debug(1910): 03/16/22 08:53:55:197 Exceeds 1 minute. Do not retry DnsQuery.

Environment


  • Any Palo Alto Networks firewall
  • GlobalProtect VPN enabled
  • GlobalProtect windows application version between 5.2.6 and 5.2.8
  • Windows 10 client system

Cause


  • When Internal Host Detection is configured on GlobalProtect, During the Global Protect (GP)connection Windows first performs a Network Discovery
  • This is done by sending out both DNS and MDNS queries to verify if the client is in the Internal or External network.
  • This is done by performing a reverse DNS lookup on a private IP configured in the on the GlobalProtect Portal
  • Once DNS response with "No such name " we should see DNSQuery 9003, which indicates to the GP client that the end-point is external
  • Prior to GlobalProtect clients with Windows Update - KB5001330, when the client was connecting from an external network the lookup would fail and return DNSQuery 9003 "No such name ".
  • With Windows clients that installed KB5001330, the DNSQuery is returning 1460 (timeout) which indicates no response was received from the DNS server.
  • This is prompting the GP client to continue querying the DNS Server up to 20 times for a response and resulting in a 60+ second delay in connecting users.

Resolution


Upgrade GlobalProtect Windows application to version 5.2.9 or higher

Additional Information


GPC-13693 : Fixed an issue where DNS resolution to internal host detection got delayed because of mDNS

Related documents:
  • https://answers.microsoft.com/en-us/windows/forum/all/vpn-issue-with-update-kb5001330-global-protect/c64c5d54-49f6-4644-8a18-032305bf014d
  • https://docs.microsoft.com/en-us/answers/questions/166816/disable-mdns.html
  • https://hsione.force.com/dentrixguest/s/article/Unable-To-Access-Common-Folder-Due-to-Windows-Update-KB001330
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NmlCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language