How to troubleshoot when Global protect gateway tunnel get disconnected due to" keep-alive timeout"
Created On 04/17/20 18:03 PM - Last Modified 04/27/20 22:54 PM
The article provides information on the troubleshooting steps that can be followed if the global protect clients are disconnecting with Keep-alive timeout as seen in PanGps.log
Info (1011): --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel Info (1011): --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel Info (1011): --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel Info (1011): --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel
- PAN-OS 8.1 and above
- Global protect configured.
When the tunnel gets disconnected due to keep-alive timeout, it means the GlobalProtect Client software has not received the keepalive packet. The only way to troubleshoot this issue is by doing a Wireshark packet capture on both Gateway and GlobalProtect Client.
- Take a packet capture on the Client System on the virtual and physical adapters, and on the GlobalProtect (GP) Gateway.
- When the user reports failure, the packet captures taken reveal if the system has received the ICMP keepalives or not.
- If the client system has received the Keepalives then the GP Gateway or Network issues can be ruled out.
- If the client system has not received the keepalives, then the network issue between the Gateway and Client needs to troubleshoot for packet drops, high CPU etc.
- Finally, the packet captures on the GP Gateway will reveal if the Gateway itself is sending the keepalives.
- IF the packet captures indicate a problem with GP gateway that needs help, engage TAC for assistance.
- By default, the client will send IPsec keepalives every 10 seconds, if 5 keepalives are missed (50 seconds) then the connection is torn down and retried.
- The keepalives can be seen in PanGPS logs if it is set on dump level. Keepalives are sent only when there is no network activity.
- Keepalives are regular ICMP packets exchanged within the tunnel between clients private IP address and gateway public IP address.