Sessions still active on the PA after having disconnected the VPN GP connexion

Reply
Highlighted
L1 Bithead

Sessions still active on the PA after having disconnected the VPN GP connexion

Hi,

I've noticed a particular issue concerning sessions started from a VPN connection.

We have a cluster of 2 PA-5020 in actif/passif mode. These are configured as firewalls and VPN gateway with GlobalProtect clients.

We have two categories of users who can be differentiated with the corresponding ldap groups when connecting with GlobelProtect.

One group gathers the IT team (with more rights), the second group concerns all the other.

When someone from the IT team launch a VPN connection, he  gets an IP adress from the IP address pool configured on the GP gateway (on the PA).

As part of the IT team, he can connect to a particular server with ssh (for example).

He then disconnects his VPN connection without stopping the ssh session, so the ssh window on the host freezes.

Then, from the same host, someone else NOT from the IT team, connects to VPN (this person shouldn't have access to this server).

As long as the VPN connection gets the same IP address from the pool (which it does in most of the cases), the previous ssh connection comes back to life.

So this user  can have access to a server to which he shouldn't have any access.

Tthe ssh session is still active on the PA, and when the IP adress (allocated to the VPN connection) is active again, the PA leaves it as it is.

But why the PA doesn't kill all the active sessions issued from a VPN connection, when this VPN connection is stopped?

And,is there a way to automatically kill on the PA, all the active sessions launched from a VPN connection, when this VPN session stops?

Thanks for your help.

Regards,

Sylvain

Tags (2)
L7 Applicator

Re: Sessions still active on the PA after having disconnected the VPN GP connexion

This stems from a combination of three things:

1. Lease time on the IP address given to the VPN user

2. Not disconnecting the SSH session when leaving

3. Timeout duration on SSH

#1 cannot be changed, and since you can't really control #2 it falls to adjusting the SSH timer. I believe the GP IP address timer is around 1 hour before reuse, but you may have to experiment with that a bit. You can change the SSH timer under Objects > Applications. Doing so would be a global change, so you may run into issues if you have long-lived idle SSH connections going through the firewall.

Another way I could think of doing this would be to run a script that checks for current GP users, and if one leaves you could run a CLI command to wipe out any sessions with the associated IP address:

> clear session all filter source 192.0.2.10

Hope this helps,

Greg

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!