GlobalProtect tunnel restoration failure with Modern Standby Computers

• Computer enters Modern Standby mode:

(P4168-T4172)Info ( 397): 08/05/21 17:34:11:734 Received powersetting change event
(P4168-T4172)Debug(15149): 08/05/21 17:34:11:734 Modern standby

• GlobalProtect attempts to maintain its tunnel. However, if the network becomes unavailable during Modern Standby, the tunnel goes down due to "packet send failure." Consequently, tunnel restoration is not immediately attempted.

17:34:20:645 --Set state to Restoring VPN Connection
17:34:20:645 [Info ]: Tunnel is down due to packet sending failure.
17:34:20:645 [Info ]: Gateway UMD Gateway : Checking network availability and restoring VPN connection when network is available.

• Upon waking the computer from Modern Standby, the GlobalProtect user finds themselves disconnected because the existing tunnel had gone down while in standby. 
• This typically occurs when network connectivity is lost during Modern Standby, causing the tunnel's downtime to exceed the configured grace period.

18:38:03:496 Wakeup from modern standby
18:38:03:496 Waked up from modern standby
18:38:03:496 Tunnel downtime (3830969 milliseconds) exceeds retry grace period (1800 seconds)
18:38:03:496 Tunnel retry done: failed retry
18:38:03:496 Before ProcMonitor quit, disconnect vpn
18:38:03:496 m_preUsername azi
18:38:03:496 m_msp->IsVPNConnected() is 0, CControlManager::GetInstance()->IsInRetry() is 0
18:38:03:498 --Set state to Disconnecting...

• If the existing tunnel had managed to remain active throughout Modern Standby (i.e., network connectivity was maintained or briefly interrupted within the grace period), it would have been seamlessly restored upon the computer waking up.

• Palo Alto Firewalls
• Supported PAN-OS versions
• GlobalProtect (GP) App
• Modern Standby (Windows devices)

• During Modern Standby, Windows intermittently suspends and resumes the PanGPS process.
• Because of this, GlobalProtect doesn't try to restore the tunnel while in standby.

1. Set the timers related to Modern Standby higher so that computer does not enter Modern Standby quickly. Refer to Microsoft documentation for the timer settings.

OR

2. Use the GlobalProtect app's "Refresh Connection" option to manually establish a new tunnel.