How to troubleshoot slowness issue when using Prisma Access
1558
Created On 07/18/25 08:57 AM - Last Modified 09/05/25 20:11 PM
Objective
- Prisma Access is used in the network.
- Slowness/packet drops observed in the end-to-end traffic.
- This article provides helpful steps to troubleshooting the slowness issue when using Prisma Access solution.
- This troubleshooting concept is not limited to Prisma Access solely. It can be used in any network type.
Environment
- Palo Alto Firewalls
- Prisma Access Firewalls
- Supported PAN-OS
- GlobalProtect
Procedure
- Network Diagram below shows where packet captures should be collected. The idea is to find point in the network where packets are dropped or send out of order. Two scenarios are shown:
- Top scenario - End user is in the office and is trying to access internal or internet resource when going over Prisma Access,
- bottom scenario - Global Protect user is connected to Prisma Access MU and is trying to access internal or internet resources.
- Captures need to be collected at multiple points (also at Prisma Access device by TAC). Those captures can reveal where packets are dropped or send out of order.
- Two types of traffic will be captured:
- End user traffic (client to server communication) - multiple points of capture
- Ipsec traffic - Ipsec/ESP traffic between on-prem firewall [or other device] and Prisma Access side (by TAC - end user traffic or/and IPSEC traffic). When using Global Protect Client, captures need to be collected at physical interface (ipsec traffic) and global protect interface (end user traffic)
- To check speed the following tests can be used (run them multiple times):
- download files from internal resources that is managed by customer,
- using iperf solution either downloading software on client and server or download software on client and use internet iperf servers,
- upload test file on cloud repository (google drive, s3 bucket, sharepoint, one drive),
- Microsoft offers Network connectivity Test to get insights of the quality of the connectivity to their Services. Choose the Location according to the Location where you are connected in Global Protect/ Prisma Access,
- speed test websites - We have observed multiple examples of speed test providers throttling traffic from public cloud providers,
- Cloudflare Speedtest - delivers more tests,
- Please note that some urls can be resolved to multiple IP addresses per test. This can cause problem with packet capture filters on the network devices. Host file on user workstation can be used to solve this kind of issue.
- example of out of order IPSEC/ESP traffic that cause user traffic to be received out of order - VPN device encrypt traffic and send it in correct order but device between VPN peers re-ordered them.