Sessions still active on the PA after having disconnected the VPN GP connexion

cnamurdc — Wed, 25 Sep 2013 14:50:12 GMT

Hi,

I've noticed a particular issue concerning sessions started from a VPN connection.

We have a cluster of 2 PA-5020 in actif/passif mode. These are configured as firewalls and VPN gateway with GlobalProtect clients.

We have two categories of users who can be differentiated with the corresponding ldap groups when connecting with GlobelProtect.

One group gathers the IT team (with more rights), the second group concerns all the other.

When someone from the IT team launch a VPN connection, he gets an IP adress from the IP address pool configured on the GP gateway (on the PA).

As part of the IT team, he can connect to a particular server with ssh (for example).

He then disconnects his VPN connection without stopping the ssh session, so the ssh window on the host freezes.

Then, from the same host, someone else NOT from the IT team, connects to VPN (this person shouldn't have access to this server).

As long as the VPN connection gets the same IP address from the pool (which it does in most of the cases), the previous ssh connection comes back to life.

So this user can have access to a server to which he shouldn't have any access.

Tthe ssh session is still active on the PA, and when the IP adress (allocated to the VPN connection) is active again, the PA leaves it as it is.

But why the PA doesn't kill all the active sessions issued from a VPN connection, when this VPN connection is stopped?

And,is there a way to automatically kill on the PA, all the active sessions launched from a VPN connection, when this VPN session stops?

Thanks for your help.

Regards,

Sylvain

Re: Sessions still active on the PA after having disconnected the VPN GP connexion

gwesson — Wed, 25 Sep 2013 17:22:51 GMT

This stems from a combination of three things:

1. Lease time on the IP address given to the VPN user

2. Not disconnecting the SSH session when leaving

3. Timeout duration on SSH

#1 cannot be changed, and since you can't really control #2 it falls to adjusting the SSH timer. I believe the GP IP address timer is around 1 hour before reuse, but you may have to experiment with that a bit. You can change the SSH timer under Objects > Applications. Doing so would be a global change, so you may run into issues if you have long-lived idle SSH connections going through the firewall.

Another way I could think of doing this would be to run a script that checks for current GP users, and if one leaves you could run a CLI command to wipe out any sessions with the associated IP address:

> clear session all filter source 192.0.2.10

Hope this helps,

Greg

topic Re: Sessions still active on the PA after having disconnected the VPN GP connexion in General Topics

Sessions still active on the PA after having disconnected the VPN GP connexion

Re: Sessions still active on the PA after having disconnected the VPN GP connexion