KB43661 - After enabling lockdown mode with Pulse Secure Desktop client with Ivanti Device and Application control client installed, Windows endpoint experience slow performance (i.e. slow application load times and lagged response from mouse cursor)

This article describes an issue where Windows endpoints experience slow performance (i.e slow application load times, lagged response from mouse cursor, etc) after lockdown mode is enabled with the Pulse Secure Desktop client and Ivanti (formerly called Lumension) Device and Application control client is installed.

After enabling lock down mode with the Pulse Secure Desktop client, windows endpoints may experience laggy or slow performance (similar to high cpu or memory scenarios). 

The following scenarios were found to remediate the issue:

1. Disable lock down mode from the Pulse Connection set and reboot the endpoint machine
2. From Windows Service menu. manually stop the Pulse Secure Service, set from Automatic to Manual, and reboot the endpoint machine.

The issue occurs due to Ivanti service listening on TCP port 33115 and 65229 for traffic from the client to the Ivanti database. The following requirements are documented in Setup Guide on page 25.

When using TLS protocol confirm TCP ports 33115 and 65229 are open. When not using TLS
protocol open TCP port 65129. Depending upon how firewalls are setup in your environment, these
ports may be closed.

By default, lock down mode is configured to block all traffic except inbound/outbound traffic to the Pulse Connect Secure device and other essential network services like DNS, DHCP, etc.

To resolve this issue, Pulse Secure recommends to upgrade to the following releases:

• Pulse Secure Desktop client 5.3R3 and above
• Pulse Connect Secure 8.3R3 and above

In the following release, lock down mode exception rules were added to allow specific traffic when lock down mode is enabled. In the Pulse connection set, lock down exceptions rules will need to be added for inbound and outbound connections for TCP 3115 and 65229.

Workaround:

If a software upgrade is not possible, the following steps can be taken to immediate resolve the issue:

• Pulse Connect Secure (PCS) administrator can disable lockdown mode from the Pulse Connection set and reboot the endpoint machine.

For Pulse Secure Desktop users, please contact your company help desk or Pulse Connect Secure (PCS) administrator to report this issue and provide the following KB article. The fix and workaround will require changes from the Pulse Connect Secure administrator.