GP users are getting denied random times

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GP users are getting denied random times

L3 Networker

I have global protect v5.0.5 deployed to all Corporate Windows and some users reported that when they work everything stop to work and suddenly after 5-10 minutes is back again without disconnecting them from the global protect .This happen random times and not always .I have a user though that he reports that every day for the last week .

 

Palo Alto version is 8.1.11 VM-300 and GP agent 5.0.5 on a Windows 10.

 

I can see from the logs user is working fine in one server , then traffic getting blocked and can see only traffic log but not threat etc. 

 

I am allowing based on the IP and the Zone and destination is any app any service .

HIP looks fine and agent is sending the report every hour .

 

Today this happened to a user connected 7 am and stopped working around 10am for 5 minutes .In the logs I can see HIP reports were send before and after the incident and user-id was reported that was learned from the AD .

 

I can see from the logs if that is helping that user is not written and after working is written . Is that related to USER-ID where I need to exclude the IP pools from the GP on the USER-ID ?

23 REPLIES 23

L7 Applicator

could you just confirm if your policy is based on source user-ID or user IP address.

Cyber Elite
Cyber Elite

GP does it's own UserID so if you have the IP pool included in the regular userID, this could cause a conflic. excluding the subnet would be a good step to see if it resoves your issue

 

you could also track global counters to help guide your search to the cause of users getting dropped during that timeframe

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

We had some issues 2 months ago with the Pilot where user let's say George had another account like adminGeorge and group was different so we removed the user/group access filtering in policy .

 

Now we have Source IP pool that we provide and the Zone of Global Protect only .

Destination is any any to internal resource for that user had issues today and with AV,VULN,ANTI-SPY profile . Nothing was blocked because of the profiles .

I can see that today but issue started before 10:13 . 10:13 was reported that was ok and user connected 7am which I don't have logs before that for user-id which is strange.

 

clipboard_image_0.png

Hi Remo,

 

When you say GP does it's own UserID ?

How does this work?

 

I am testing GP  with assigning VPN pool a /24 subnet and it is based on the IP address.

 

Regards

Mike

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

@MP18 I think you meant @reaper and not me 😉

But what he was saying that as soon as a user logs in to GP, the firewall assings a local user-ip-mapping with globalprotect as source. So if you also have User-ID agents in place, a mapping there could lead to a conflict and if the mapping on the user-ID agent is newer the local global protect mapping will be overwritten.

 

@GeorgiosFakis do you have logs of that timeframe(s) where the users reported that they lost the connection? Does this problem exist for all your users at random times or "only" for a small group of users?

It's not sure how many experience the issue but right now i have reports from 20 users .

During the pilot phase was reported by 2 only but I had 20-22 pilots and most of them are not using the global protect all day , so it's not clear since the users are not connected the whole day on the global protect.

 

The reports I get about the issue is from users that are connected 8-10 hours constantly .

what is your user ID timeout currently set to.

 

 

Is set to 45 minutes :

 

clipboard_image_0.png

I would extend that to 480 (8 Hours)

I have mine set to 24 hours but for some thats too long.

 

4 Hours may be OK.   but try  8 and reduce if needs be.

also use....:-

 

show user ip-user-mapping  all

 

this will display all known users to IP address and when the expire

Hi

 

I have done this but again user reported that next day . 

 

I got debugging logs from user and I see it's an issue on HIP report that timed out . I have opened a case with Palo Alto and waiting their availability to check it .

Keep us posted on this.

Lets see what PA says?

 

Surprise Hip report can cause this issue

MP

Help the community: Like helpful comments and mark solutions.

PA released version 5.0.6 that fix some HIP issues. Now for the case I have they are still reviewing the files I sent them .

 

From what I see is that :

 

 (T20032) 11/28/19 11:18:03:568 Debug(4477): Send hip report check failed

 

I have increased the timeout to 1 day for the HIP report from 3 hours that was set.I will keep you posted .

  • 11247 Views
  • 23 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!