Fix the MTU — properly.
This issue looks random, but the root cause is very common in Palo Alto GlobalProtect deployments.Symptoms you’ll see
✔ VPN connects successfully
✔ User gets IP
❌ Websites partially load
❌ O365 / SaaS apps hang
❌ Downloads fail midway
Root cause → MTU mismatch
When GlobalProtect encapsulates traffic (SSL/IPsec), packet size increases.
If the path (ISP / mobile network / home router) supports a lower MTU, packets get dropped silently.
And since ICMP is often blocked, Path MTU Discovery fails.
✅ How to FIX it — Step by Step (Custom MTU)
Step 1: Identify the problem
From the GP client machine:
Test with ping (Don’t Fragment flag)
Find the largest packet size that succeeds
This gives you a safe MTU baseline.
Step 2: Set custom MTU on Tunnel Interface
On the firewall:
Go to Network → Interfaces → Tunnel
Open the GlobalProtect tunnel interface (e.g., tunnel.1)
Set MTU to a lower value
Common working values: 1400 / 1420
Commit the changes
๐ This ensures encrypted packets stay within path limits.
Step 3: (Optional but recommended) Adjust TCP MSS
Configure TCP MSS Clamping in security policy
Prevents oversized TCP packets before encryption
Helps avoid fragmentation at higher layers
Step 4: Validate with real users
After change:
Test SaaS apps
Test large downloads
Test mobile hotspot users
Test multiple ISPs
✔ Consistent browsing = MTU issue resolved
Architect’s takeaway
VPN problems are not always routing or policy related.
Sometimes the network is fine — the packet size is not.
If you’ve faced strange GlobalProtect internet issues and fixed them by tuning MTU, you’re not alone.
๐ฌ Drop a comment or DM if you want a quick MTU troubleshooting checklist.
No comments:
Post a Comment