topic Re: Concurrent users cannot connect in General Topics

Concurrent users cannot connect

Farzana — Mon, 14 Nov 2016 04:27:04 GMT

Hello,

GlobalProtect GW with x-auth is enabled for IPsec VPN client services. However, only one concurrent session per user is allowed and any subsequent sessions disconnects the previous session user. Same issue happens whether the user is a local account or an AD account. We need to have multiple sessions running with the same user account.

Any idea how to fix this?

Thanks in advance.

Re: Concurrent users cannot connect

reaper — Mon, 14 Nov 2016 09:58:58 GMT

Hi Farzana

GlobalProtect allows multiple concurrent logins from the same username.

do you possibly have a UserID agent (client/clientless) set to probing and included the IP range of the globalprotect clients ? it's possible the UserID agent is timing out the user mappings with probes, since GlobalProtect will allow concurrent sessions

Re: Concurrent users cannot connect

Farzana — Tue, 22 Nov 2016 04:08:17 GMT

Hello Reaper,

Thank you for your suggestion. No probing is enabled in the User ID Agent Setup. Tried adding an exception for the subnet used by VPN clients but the issue still occurred.

Using Cisco VPN ver 5.0.07.0290. Below log output shows Line 11 everything working OK, from line 12 is when another VPN client connects with the same username:

Looking forward to your response.

Re: Concurrent users cannot connect

Farzana — Tue, 22 Nov 2016 04:44:20 GMT

In system logs we are getting:

ike-nego-p2-proxy-id-bad	IKE phase-2 negotiation failed when processing proxy ID. received ID for remote-side type (IPv4_address_range) is not supported.
ike-nego-p2-start	IKE phase-2 negotiation is started as responder
ike-nego-p2-proxy-id-bad	IKE phase-2 negotiation failed when processing proxy ID. received ID for remote-side type (IPv4_address_range) is not supported.
ike-nego-p2-start	IKE phase-2 negotiation is started as responder

Re: Concurrent users cannot connect

reaper — Tue, 22 Nov 2016 08:23:49 GMT

kind of looks like there's a configuration issue, proxy IDs are network subnet objects exchanged between 2 vpn peers to determine which local IP addresses are being used

you may want to review which IP pool is being used for GP clients and if that subnet is routed elsewhere in the organization also

would you be able to share configuration snapshots without revealing too much sensitive info ?

Re: Concurrent users cannot connect

Farzana — Tue, 22 Nov 2016 08:56:02 GMT

Hi Reaper,

Thank you for your speedy reply. The config in place is the same as the link below except that the portal is on a different port and a private IP, Nat’d behind the Palo’s outside interface because another device is using port 443. But that shouldn’t matter as that is only the portal web page, not the VPN traffic gateway.

Not using GP client...just IPsec/Cisco remote VPN.

https://www.paloaltonetworks.com/documentation/Videos/gp-qc1-video.html

Re: Concurrent users cannot connect

reaper — Tue, 22 Nov 2016 09:11:17 GMT

have you tried using GlobalProtect ? 😉

i'm not sure about the implications when using a 3rd party vpn client

Re: Concurrent users cannot connect

Brandon_Wertz — Tue, 22 Nov 2016 15:18:33 GMT

@reaper Please help...My Galaxy S7 isn't working with iOS10. lol

Re: Concurrent users cannot connect

BPry — Tue, 22 Nov 2016 18:29:30 GMT

A few things about this setup:

1) If you are forming the IPSec connection through the Palo Alto Firewall just use GlobalProtect and setup the SSL VPN.

2) Don't use an unsupported Cisco client that has known security issues that will NEVER be fixed.

3) GP is a free product and way more servicable than IPSec connections. IPSec is great for Tunnels, but not to actively use on client devices trying to connect back to the office. You should really be moving away from IPSec as a whole.

Re: Concurrent users cannot connect

Farzana — Tue, 22 Nov 2016 21:55:21 GMT

Hi Brandon,

I understand what you are trying to say...The thing is if client wants only Cisco VPN for their users then being an ASC we don't have much of a say rather suggest to try using Global Protect Client.

I try to use this forum to get suggestions as PA being a fairly new product (compared to other vendors) not enough forums out there for many scenarios.

This kind of tongue-in-cheek humor puts me off to ask questions here 🙂

Cheers

Farzana

Re: Concurrent users cannot connect

Brandon_Wertz — Tue, 22 Nov 2016 22:06:29 GMT

@Farzana Pretty sure PA was the first purpose built application aware FW.

The platform has been around for sometime. You "hid the lead" I'm having this problem...Oh by the way I'm trying to smash to unique/competiive vendor products and it's not working.

It's tounge and cheek because it's funny.

It's good to know if senarios like this work and/or if they fail and under what circumstances of each, but come on...You gotta be a little more thick skinned than that.

Not to mention as an IT professional if you aren't going back to your client and telling them the solution they're trying to implement isn't how this should be done you're not doing right by your customer.

Re: Concurrent users cannot connect

Farzana — Tue, 22 Nov 2016 22:37:46 GMT

Yes you are right Brandon.

Client uses IPSec because they connect to many client environments so it is non-trivial for them to implement GlobalProtect.

I will check if certificate was applied properly.

The first user can connect to VPN easily but when another user logs in then he gets kicked out.

Re: Concurrent users cannot connect

BPry — Wed, 23 Nov 2016 13:47:10 GMT

@Farzana Sometimes we get a little out of hand 🙂

I would just point out to the client that the legacy Cisco VPN is no longer supported and does not work properly with anything greater than Windows 7. Even if you do the legwork to get this to function it isn't a supported function; you also run into the issue of security when using a VPN client that is no longer being updated for known security holes.

Re: Concurrent users cannot connect

reaper — Wed, 23 Nov 2016 13:50:49 GMT

plus, concurrent users work 100% guaranteed with GlobalProtect 🙂