Concurrent users cannot connect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Concurrent users cannot connect

L4 Transporter

Hello,

 

GlobalProtect GW with x-auth is enabled for IPsec VPN client services. However, only one concurrent session per user is allowed and any subsequent sessions disconnects the previous session user. Same issue happens whether the user is a local account or an AD account. We need to have multiple sessions running with the same user account.

 

Any idea how to fix this?

 

Thanks in advance.

13 REPLIES 13

Cyber Elite
Cyber Elite

Hi Farzana

 

GlobalProtect allows multiple concurrent logins from the same username.

 

do you possibly have a UserID agent (client/clientless) set to probing and included the IP range of the globalprotect clients ? it's possible the UserID agent is timing out the user mappings with probes, since GlobalProtect will allow concurrent sessions

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello Reaper,

 

Thank you for your suggestion. No probing is enabled in the User ID Agent Setup. Tried adding an exception for the subnet used by VPN clients but the issue still occurred.

Using Cisco VPN ver 5.0.07.0290. Below log output shows Line 11 everything working OK, from line 12 is when another VPN client connects with the same username:

 

Looking forward to your response.

 

In system logs we are getting:

 

ike-nego-p2-proxy-id-badIKE phase-2 negotiation failed when processing proxy ID. received ID for remote-side type (IPv4_address_range) is not supported.
ike-nego-p2-startIKE phase-2 negotiation is started as responder
ike-nego-p2-proxy-id-badIKE phase-2 negotiation failed when processing proxy ID. received ID for remote-side type (IPv4_address_range) is not supported.
ike-nego-p2-startIKE phase-2 negotiation is started as responder

 kind of looks like there's a configuration issue, proxy IDs are network subnet objects exchanged between 2 vpn peers to determine which local IP addresses are being used

 

you may want to review which IP pool is being used for GP clients and if that subnet is routed elsewhere in the organization also

 

would you be able to share configuration snapshots without revealing too much sensitive info ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Reaper,

 

Thank you for your speedy reply. The config in place is the same as the link below except that the portal is on a different port and a private IP, Nat’d behind the Palo’s outside interface because another device is using port 443. But that shouldn’t matter as that is only the portal web page, not the VPN traffic gateway.

Not using GP client...just IPsec/Cisco remote VPN.

 

https://www.paloaltonetworks.com/documentation/Videos/gp-qc1-video.html

hm

 

have you tried using GlobalProtect ? 😉

 

i'm not sure about the implications when using a 3rd party vpn client

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper Please help...My Galaxy S7 isn't working with iOS10.  lol

A few things about this setup:

 

1) If you are forming the IPSec connection through the Palo Alto Firewall just use GlobalProtect and setup the SSL VPN.

2) Don't use an unsupported Cisco client that has known security issues that will NEVER be fixed.

3) GP is a free product and way more servicable than IPSec connections. IPSec is great for Tunnels, but not to actively use on client devices trying to connect back to the office. You should really be moving away from IPSec as a whole. 

Hi Brandon,

 

I understand what you are trying to say...The thing is if client wants only Cisco VPN for their users then being an ASC we don't have much of a say rather suggest to try using Global Protect Client.

I try to use this forum to get suggestions as PA being a fairly new product (compared to other vendors) not enough forums out there for many scenarios.

This kind of tongue-in-cheek humor puts me off to ask questions here 🙂

Cheers

Farzana

 

@Farzana Pretty sure PA was the first purpose built application aware FW.  

 

The platform has been around for sometime.  You "hid the lead" I'm having this problem...Oh by the way I'm trying to smash to unique/competiive vendor products and it's not working.

 

It's tounge and cheek because it's funny.  

 

It's good to know if senarios like this work and/or if they fail and under what circumstances of each, but come on...You gotta be a little more thick skinned than that.

 

Not to mention as an IT professional if you aren't going back to your client and telling them the solution they're trying to implement isn't how this should be done you're not doing right by your customer.

Yes you are right Brandon.

 

Client uses IPSec because they connect to many client environments so it is non-trivial for them to implement GlobalProtect.

I will check if certificate was applied properly. 

The first user can connect to VPN easily but when another user logs in then he gets kicked out.

 

@Farzana Sometimes we get a little out of hand 🙂

I would just point out to the client that the legacy Cisco VPN is no longer supported and does not work properly with anything greater than Windows 7. Even if you do the legwork to get this to function it isn't a supported function; you also run into the issue of security when using a VPN client that is no longer being updated for known security holes. 

plus, concurrent users work 100% guaranteed with GlobalProtect 🙂

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 4872 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!