How to troubleshoot when Global protect gateway tunnel get disconnected due to" keep-alive timeout"

How to troubleshoot when Global protect gateway tunnel get disconnected due to" keep-alive timeout"

49818
Created On 04/17/20 18:03 PM - Last Modified 04/27/20 22:54 PM


Objective
The article provides information on the troubleshooting steps that can be followed if the global protect clients are disconnecting with Keep-alive timeout as seen in PanGps.log

Client PanGps.log 
Info (1011): --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel
Info (1011): --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel
Info (1011): --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel
Info (1011): --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel

 


Environment
  • PAN-OS 8.1 and above
  • Global protect configured.


Procedure

When the tunnel gets disconnected due to keep-alive timeout, it means the GlobalProtect Client software has not received the keepalive packet. The only way to troubleshoot this issue is by doing a Wireshark packet capture on both Gateway and GlobalProtect Client.
  1. Take a packet capture on the Client System on the virtual and physical adapters, and on the GlobalProtect (GP) Gateway.
  2. When the user reports failure, the packet captures taken reveal if the system has received the ICMP keepalives or not. 
  3. If the client system has received the Keepalives then the GP Gateway or Network issues can be ruled out.
  4. If the client system has not received the keepalives, then the network issue between the Gateway and Client needs to troubleshoot for packet drops, high CPU etc.
  5. Finally, the packet captures on the GP Gateway will reveal if the Gateway itself is sending the keepalives.
  6. IF the packet captures indicate a problem with GP gateway that needs help, engage TAC for assistance.
For information on the Packet capture on firewall, please refer Here.
 


Additional Information
Note:
  • By default, the client will send IPsec keepalives every 10 seconds, if 5 keepalives are missed (50 seconds) then the connection is torn down and retried.
  • The keepalives can be seen in PanGPS logs if it is set on dump level. Keepalives are sent only when there is no network activity.
  • Keepalives are regular ICMP packets exchanged within the tunnel between clients private IP address and gateway public IP address.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PPgZ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments