I work remotely for a large (8,500 EE) company in central Florida. In January 2022 I switched from Spectrum Internet ($79.99/mo for 100 Mb download) to the Verizon 5G Internet Gateway ($25/mo for 300 Mb download.) At the time my company was using AnyConnect VPN and I got decent performance. Then in March 2022 the company began the switch to GlobalProtect VPN. I was able to test both VPNs side-by-side over the Verizon Gateway and the difference was significant. With AnyConnect I was getting 250-290 Mb download; with GlobalProtect I was getting 10-20 Mb download. After a few months the company shut off the AnyConnect VPN (which I strongly objected to, to no avail) and I’ve been using the GlobalProtect VPN ever since. My corporate IT technician has done a bunch of diagnostic tests but come up with nothing. I disabled all the Firewall settings on the Gateway but that had no effect so I turned them back on.
The situation seems pretty hopeless. Because I was able to a parallel test I can definitively state that the problem is with GlobalProtect. Palo Alto (vendor for Global Protect) doesn’t have the skills to troubleshoot and resolve the problem.
Fortunately I almost don’t notice. I get reasonable response times from all my applications running over the VPN. I can do video calls in Teams, Zoom & WebEx with no performance problems. Streaming video doesn’t buffer. The only time I really notice is when I’m downloading large files from SharePoint. Without the VPN a 325 MB file takes about 10 seconds. With GlobalProtect VPN the same file takes over 15 minutes. But it’s rare that I download files that big so I’m not too concerned about the performance of GlobalProtect VPN.
Palo Alto (vendor for Global Protect) doesn’t have the skills to troubleshoot and resolve the problem.
Yes they certainly do but without a partner login they aren’t going to work with you. It may need to get escalated before you get someone decent though. Contact your IT dept and go through them.
Without digging into it I’d bet that your ISP is breaking IPSEC somehow (probably double NAT) and GlobalProtect is falling back to SSL VPN which has terrible performance compared to IPSEC.
https://www.reddit.com/r/paloaltonetworks/comments/l2rp1a/global_protect_ipsec_vs_ssl/
You can check tunnel status like this: How to Confirm if GlobalProtect Tunnel is Using IPSec or SSL?
Again, just a guess without looking at your setup but something to look in to.
You may need to adjust your MTU
is the anyconnect asa/firepower and palo alto at the same DC? on same internet pipe?
what else can be different?
can you login to the palo? or is it managed externally?
if you want to try another anyconnect with multigig internet we can
I have a similar problem as the OP
Our IT has been telling is that the slow speeds are bc the VPN is in another state 700 miles away.
I doubt that and think there must be some settings that need to be adjusted (ie. MTU, IPSec, etc).
Would VPN head being 700 miles away be a reason why we can’t get >10mbps? Or is that not necessarily true and trying to adjust some of the aforementioned settings should be able to help?
I don’t get why ssl vpn on anyconnect is so much better than ssl on globalprotect. Cisco did that right.
Must do ipsec or gets pretty bad. It’s fine for basics but not power users.
Having the same problem with traffic usually limited to 1Mbps or less while upstream seems to blast along at 20 Mbps. It is weird they would be some asymmetric, surely if there is fragmentation then my upstream packets would be fragmented too?
Not sure what the suggestions about using the DMZ and blocking all the IPSEC ports is supposed to achieve - is that to force Global Protect into SSL mode? When I used SSL mode it worked a bit better, sometimes getting to 10Mbps but it also seemed pretty unstable and GP showed a warning that it was unstable.
I thought I could go to the WiFi network interface on my Macbook and set the MTU to 1372 but that did not seem to have the desired effect. Traffic was still limited to 1 Mbps. I’m waiting to see if I can my IT guys to help play with the Global Protect config MTU setting.
Happy to share the solution I figured out for Mac osx,
The goal is to block UDP on port 4501 for the IPSec protocol used by GlobalProtect VPN, so it can fall back to SSL on port 443. SSL is much stable than IPSec on the Verizon mobile 5G network, and SSL download speed is 10 times faster than IPSec for me.
On your macbook, open a terminal window, add one line to the file below,
block drop out proto udp from any to 0.0.0.0/0 port 4501
$ sudo vim /etc/pf.conf
run the following command to reload the packetfilter rules.
$ sudo pfctl -e -f /etc/pf.conf
Cheers
Similar problem here. Removed all Firewall settings. Download speeds went from 1mbps to 150mbps but upload speeds are still infuriatingly slow….0.4Mbps. Ugh.
I checked the settings/connection tab on my laptop in the GP client, and it says IPSec
Does that confirm that IPSec isn’t cause of my slow speeds? Is there still someway my ISP could be breaking IPSec? Or no, as long as it says IPSec in GP client then its good?
Thank you
Never heard of “MTU”. Is that on the client (me) or server (corporate) side?
If the GP admin portal is set to the default 1400, will changing the MTU on my laptop make any difference?
I pinged an address and it seems 1372 is the max size; above that # the packets get fragmented.
I changed the MTU on my laptop to 1372 but didn’t notice any improvement in speed (10mbps under VPN vs 300-400 without VPN).
Could this be bc the admin portal settings are still 1400 so it wouldn’t make a difference? In other words, how would changing the laptop MTU help if the admin portal is set to something higher so it’s still sending larger packets that get fragmented? Or is it that if Path MTU Discovery is enabled, then it will see that my laptop is set to 1372 and only send packets of that size? Is MTU discovery automatic in GP for all? Or is that something that needs to be enabled?
Thank you
Did you also adjust the MTU setting? Or just this? Have you compared both solutions?
Sounds like SSL isn’t your issue. Check my comment in another threat here. Perhaps you are running into MTU issues.
You may be able to adjust it on your Palo network interface. But it also could be set by corporate.
Ask your IT department.
Would changing MTU on my laptop be the same as admins changing it in GP config portal?
Or no, since the server is still sending larger packet sizes? Or does the server detect my MTU and only send packets of that size?
You might be on to something there.
This sounds pretty similar: https://www.reddit.com/r/tmobileisp/comments/nm9isl/globalprotect_vpn_issue_solved_for_my_situation/
Here is how the IT department can adjust it. Configurable Maximum Transmission Unit for GlobalProtect Connections
They can use the client config selection criteria to limit it to people like /u/Jonathan-HF on cellular connections. They just need to make an AD group or something and apply the lower MTU to that group.
We upgraded our PA to handle this but it bugged our config and I haven’t gotten round to fixing it yet.
Something to do with fips mode 
We tested different values for the MTU (Maximum Transmission Unit) and found 1372 to be the largest value that did not cause packet fragmentation. Because my laptop is locked down by IT this isn’t a value I could permanently change myself, it had to come to me through a policy.
Again, I’m using the Verizon 5G Internet Gateway. I did some tests using SpeedTest by Ookla (https://www.speedtest.net/).
No VPN Download 300 MBPS Upload 20 MBPS
VPN MTU=1400 (Default) Download 10 MBPS upload 7 MPBS
VPN MTU=1372 Download 40 MBPS upload 8 MBPS
So technically 1372 is an improvement over 1400 but it’s still a long way off from what I should be getting. The VPN is imposing an 80% performance penalty. A reasonable penalty would be 20%.
