My users have started to randomly drop from GlobalProtect since we updated from 10.1.10-h2 to 10.2.7-h3. I saw on the release pages it says to disable ipv6 if you are using ssl as the transport protocol which we are. I do not see IPV6 enabled anywhere in the portal/gateway or interface or tunnel settings. There is nothing being blocked or denied in traffic and the global protect logs do no show any failures. Is there a place to find preferred release of Global Protect? I thought it was on the same page as the PANOS releases but I can’t find it. In the Global Protect logs I just see a bunch of messages like this before it disconnects:
(P6644-T11620)Debug( 938): 01/23/24 18:55:23:530 HandleDnsCallback: failed to parse dns req packet.
(P6644-T11620)Debug( 938): 01/23/24 18:55:33:540 HandleDnsCallback: failed to parse dns req packet.
(P6644-T5908)Debug(1033): 01/23/24 18:55:40:995 SSL_read(len 229) success after 3 retry
Might not be related but just had GP issues since update to 10.2.7-h3, GP running 6.1.x.
I checked there was a known bug with 6.1.x, tried different client versions, same problem.
I’ve been told to disable IPv6 on the PANGP NIC… Problem solved.
Absolutely nothing in logs mentioning IPv6…
This explains our disconnects and seems 10.1.11-H4 has a ton of bugs and is no lonmger the preferred version as of this morning! I have gone to 10.1.11-H5 on my standbys and testing now.
*
10.1.11-h4 12/14/23
Note:
Autocommit failures seen on PA-410. (PAN-227435).
DNS resolution fails if DNS server IP is retrieved from DHCP. (PAN-242784).
DNS resolution fails for plugins (PAN-235741)
GlobalProtect tunnel might disconnect shortly after being established when SSL is used as a transport protocol. Workaround: Disable Internet Protocol Version 6 (TCP/IPv6) on the PANGP Virtual Network Adapter (PAN-242561).
This seems to have maybe been fixed for me by turning off HIP checks , not sure if this is acceptable in your environment but we don’t leverage them anyhow. If you don’t use them either it may be worth looking into testing disabling it and seeing if it helps. Im curious either way though if that helps or not for you or if you find anything else out.
Thanks I have seen that correlation in the GP Logs but we use the HIP checks so I can’t turn them off. Hoping the announced 10.1.11-H5 software has fixes for this but waiting on confirmaton before I deploy it.
The actual solution for us was disabling the ipv6 stack on the local machines virtual adapter for global protect. We had to do it via a powershell script i think, Im not on the endpoint side of things so I’m not 100% sure how the fix was deployed.
