How to Remediate the Issue of Users Unable to Connect to GP - Max Task Count Reached

How to Remediate the Issue of Users Unable to Connect to GP - Max Task Count Reached

2101
Created On 01/28/25 18:34 PM - Last Modified 01/28/25 23:10 PM


Objective


To mitigate the issue of users being unable to connect to GlobalProtect due to the maximum task count reached.

Environment


  • GlobalProtect
  • Tasks

Procedure


To mitigate the issue of users being unable to connect to GlobalProtect due to the maximum task count being reached, follow these steps:

  1. Step 1- Verify the maximum task value configured:
    Run the CLI command (available starting PAN-OS 10.2): 
    > show gp-broker panos-config | match tasks
     Or the below command (available starting PAN-OS 11.0): 
    > show global-protect tasks

    Ensure the configured maximum task count is greater than 500.
    If running PAN-OS lower than 11.0 but greater than 10.2 then you can find this value by searching the gpsvc.log for MaxTaskCount: 

    {"level":"info","time":"2025-01-28T04:56:03.083189598-08:00","message":"fetchPanosConfig: fetched panos-config-alt from redis, ts:1738068963, version:1 (MaxTaskCount:1000 MaxAuthReqCount:4096)"}
{"level":"info","time":"2025-01-28T04:56:03.083212404-08:00","message":"ConfigPhase1: phase1 done"}

    In the logs above the value is 1000.

  1. Step 2- Check Task Activity in Logs:
    Use the evidence logs provided in this alert page or use the firewall CLI command (available starting PAN-OS 10.2):

    > tail follow yes mp-log gpsvc.log

    Look for indications that the task count reached the configured maximum with the log message "MainHttpEntry: max task count reached!".

    {"level":"error","time":"2024-12-24T06:38:55.895154695Z","message":"MainHttpEntry: max task count reached!"}

  2. Step 3- Monitor Task Count Dynamically:
    Run the following command (available starting PAN-OS 10.2) to check the current task count:

    > show gp-broker gpsvc counter service | match "Current"

  3. Step 4- Take Appropriate Action Based on Observations:

    1. Scenario A: Task Count is Low or Zero, but Logs Show Maximum Reached:
      If the task count (step 3) is low or zero, but the gpsvc logs (step 2) indicate the task count has reached its maximum as detected by this alert, and the configured maximum task count (step 1) is greater than 500, then:
      Restart the gpsvc process to force the GP broker to resend configurations to the GP service and reset the task count. (This command is available starting PAN-OS 10.2): 
      > debug software restart process gpsvc
> configure
# commit force
    2. Scenario B: Task Count Increases and Decreases Dynamically:
      If the task count increases near the maximum during peak login times and decreases to 0 during low login activity, then:
      Verify the current maximum task count (available starting PAN-OS 10.2): 
      > show gp-broker panos-config | match tasks
       Or the command (available starting PAN-OS 11.0): 
      > show global-protect tasks

      If it is set as default* then this indicates that you are reaching the limit that the platform can handle.

    3. Scenario C: Task Count Stays at Maximum Even During Low Login Activity:
      For an immediate fix restart the gpsvc process to reset the task count. If the issue reoccurs then open a support ticket for further investigation.

 

Additional Information


*GP Task Max default value is 1000 or 1024 depending on the model of the NGFW platform.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HEvvCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail