GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

Reply
Highlighted
L1 Bithead

GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

Hello all,

I use 6.1.3 ver. soft on fw and GP client 2.2.0 ver.

I establish vpn tunel (ssl) and everything is ok, I can access to internal resources, unfortunately only in 2 minutes.

After it, user-ip-mapping entry loses user:

# show user ip-user-mapping all type GP

IP                            Vsys   From    User        IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

192.168.98.11   vsys1  GP        marcin                   2591980        2591980     

Total: 1 users

!!! after about 2 minutes:

# show user ip-user-mapping all type GP

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

Total: 0 users

# I use security policy with known-user:

VPN-MG-PALO {

      from vpn-mg-palo;

      to [ dmz inside];

      source 192.168.98.0/24;

      destination any;

      source-user known-user;

      category any;

      application any;

      service any;

      hip-profiles any;

      action allow;

      tag vpn-mg-palo;

      log-start yes;

      log-end no;

      log-setting LogServer-traffic;

Thanks for your answer.

Regards,

Marcin

L4 Transporter

Re: GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

Marcin

Can you paste the output of these two commands when this issue happens? Also check on the client side to make sure the tunnel is still up:

- show user ip-user-mapping-mp all type GP

- show global-protect-gateway current-user user marcin

Amjad

L4 Transporter

Re: GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

Hi Marcin

I'm using same PAN OS and same GP client - but I didnt get such problems...

What kind of user-id are You using (agent/agentless)?

Witd AD or other source  of users?

What system (Windows/MAC)?

Regards

SLawek

L1 Bithead

Re: GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

Hi Amjad,

result of two commands are below: 

show user ip-user-mapping-mp all type GP

IP                        Vsys   From    User                             Timeout (sec)  

--------------- ------ ------- -------------------------------- ----------------

192.168.98.11   vsys1  GP      marcin                   2591989

Total: 1 users

*: WMI probe succeeded

show global-protect-gateway current-user user marcin

GlobalProtect Gateway: gw1 (1 users)

Tunnel Name          : gw1-N

        Domain-User Name          : \marcin

        Computer                  : lap

        Client                    : Microsoft Windows 7 Professional Service Pack 1, 64-bit

        VPN Type                  : Device Level VPN

        Mobile ID                 :

        Private IP                : 192.168.98.11

        Public IP                 : <deleted>

        ESP                       : removed

        SSL                       : exist

        Login Time                : May.04 00:19:10

        Logout/Expiration         : Jun.03 00:19:10

        TTL                       : 2591961

        Inactivity TTL            : 10761

and after about two minutes:

show user ip-user-mapping-mp all type GP

IP              Vsys   From    User                             Timeout (sec)  

--------------- ------ ------- -------------------------------- ----------------

Total: 0 users

*: WMI probe succeeded

show global-protect-gateway current-user user marcin

GlobalProtect Gateway: gw1 (1 users)

Tunnel Name          : gw1-N

        Domain-User Name          : \marcin

        Computer                  : lap

        Client                    : Microsoft Windows 7 Professional Service Pack 1, 64-bit

        VPN Type                  : Device Level VPN

        Mobile ID                 :

        Private IP                : 192.168.98.11

        Public IP                 : <deleted>

        ESP                       : removed

        SSL                       : exist

        Login Time                : May.04 00:19:10

        Logout/Expiration         : Jun.03 00:19:10

        TTL                       : 2591862

        Inactivity TTL            : 10662

Tunnel is sitill up on the client side (GlobalProtect/Details : Tunnel - YES, Authenticated, Uptime...0

Marcin

L1 Bithead

Re: GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

Hi SLawek,

I use user-id agentless, ms ad user, and Windows/Mac OS,

and I see after two minutes:

show global-protect-gateway current-user

GlobalProtect Gateway: gw1 (1 users)

Tunnel Name          : gw1-N

        Domain-User Name          : \marcin

        Computer                  : MacBook-Pro-marcin

        Client                    : Apple Mac OS X 10.10.2

        VPN Type                  : Device Level VPN

        Mobile ID                 :

        Private IP                : 192.168.98.10

        Public IP                 : <deleted>

        ESP                       : removed

        SSL                       : exist

        Login Time                : May.04 00:43:43

        Logout/Expiration         : Jun.03 00:43:43

        TTL                       : 2591806

        Inactivity TTL            : 10606

show user ip-user-mapping-mp all type GP

IP              Vsys   From    User                             Timeout (sec)  

--------------- ------ ------- -------------------------------- ----------------

Total: 0 users

*: WMI probe succeeded

Marcin

L4 Transporter

Re: GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes


Marcin

Are the Portal and Gateway on the same firewall? do you have single PA or HA pair?


Amjad

L1 Bithead

Re: GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

Portal&Gateway are on the same firewall in HA pair.

Regards,

Marcin

L4 Transporter

Re: GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

Hi Marcin

show global-protect-gateway current-user

GlobalProtect Gateway: gw1 (1 users)

Tunnel Name          : gw1-N

        Domain-User Name          : \marcin

                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ why the domain name field is

Did You followed this doc How to Configure Agentless User-ID ?

Regards

Slawek

L1 Bithead

Re: GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

Slawek,

I don't know :smileysad: , but I connect normally using MS AD credentials.

rgrds,

marcin

L4 Transporter

Re: GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

Hi

Myabe someone who is using agentless user-id could confirm that in output show global-protect-gateway current-user

should has domain name before \user, something like: Domain-User Name          : XXXXXXXXXX\marcin


another thing, please give us output from

show user ip-user-mapping all

Regards

SLawek

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!