@TomasMedina maybe I'm not understanding what you're trying to say here:
But to me this means they're "refreshing" their VPN connection.
If their VPN is working, they can access internal resources then all of a sudden they can't access internal resources but they can access things not internal like things on the Internet. That probably means the VPN isn't connected, it got disconnected somehow. Especially if refreshing the VPN connection resolves their issue.
Have you looked at the GP client logs for the time period that internal resources aren't accessible?
@Brandon_Wertz wrote:
@TomasMedina maybe I'm not understanding what you're trying to say here:
But to me this means they're "refreshing" their VPN connection.
If their VPN is working, they can access internal resources then all of a sudden they can't access internal resources but they can access things not internal like things on the Internet. That probably means the VPN isn't connected, it got disconnected somehow. Especially if refreshing the VPN connection resolves their issue.
Have you looked at the GP client logs for the time period that internal resources aren't accessible?
Yes, we have, and yes, the source user is blank. So, I think you are right, the VPN is disconnecting somehow, but we don't know why this is happening.
TAC told us it could be because of the windows power settings, but it is not solved by increasing the idle time.
@TomasMedina wrote:
@Brandon_Wertz wrote:
@TomasMedina maybe I'm not understanding what you're trying to say here:
But to me this means they're "refreshing" their VPN connection.
If their VPN is working, they can access internal resources then all of a sudden they can't access internal resources but they can access things not internal like things on the Internet. That probably means the VPN isn't connected, it got disconnected somehow. Especially if refreshing the VPN connection resolves their issue.
Have you looked at the GP client logs for the time period that internal resources aren't accessible?
Yes, we have, and yes, the source user is blank. So, I think you are right, the VPN is disconnecting somehow, but we don't know why this is happening.
TAC told us it could be because of the windows power settings, but it is not solved by increasing the idle time.
@TomasMedina -- The source user being blank only matters if access to the internal resources have a security policy with a user requirement, is that a portion of the policy? Right now all of this is just conjecture because we need more details. You mentioned TAC, were the GP client logs collected when the users couldn't access the internal resources? Were they analyzed? Did anyone look at the GP logs from the firewall? Did it in-fact show there was a client disconnect? Or was it like @BPry mentioned it is simply because user attribution is being lost? What's the user attribution method? What's the timeout? Did anyone look at the User-ID logs on the firewall?
There are so many different possibilities for the issue and questions related to the actual thing that's going on. The first step I'd start with is GP client logs collected from the client at the time of the issue, which TAC should already be doing.
The connection to internal resources is via VPN through a policy in GP. We have deployed GP on SCM, not on the firewall. We have reviewed the logs and TAC has reviewed the evidence we have sent them, but they only give us indications that it is a problem with the power process of the endpoints when they hibernate.
Here is the lastest TAC response.
@TomasMedina wrote:
The connection to internal resources is via VPN through a policy in GP. We have deployed GP on SCM, not on the firewall. We have reviewed the logs and TAC has reviewed the evidence we have sent them, but they only give us indications that it is a problem with the power process of the endpoints when they hibernate.
Here is the lastest TAC response.
When I mentioned "Look at the GP logs on the firewall" and when you say "We have deployed GP on SCM, not on the firewall." we're both saying the same thing. You might have "deployed" the Global Protect VPN service via Strata Cloud Manager (An orchestration tool) but all that is, is a view into a virtual cloud hosted Palo Alto managed FIREWALL...it's still a firewall.
The note you've shared from Palo TAC is something similar I've extensively troubleshot within my organization. Are you using Lenovo laptops by chance? We had a lot of issues with both the wireless network adapter on Lenovo laptops having stability issues that needed driver updates to solve our "VPN problems."
What looked like a "GP problem" for us was a hardware/driver issue on the wireless network adapters across tens/hundreds of laptops. Looking through our GP logs TAC was also able to identify power adapter/sleep issues of our laptops that was interfering with the GP software functionality.
You originally mentioned that users are online working then "all of a sudden they disconnect." TAC mentioned power changes in the clients. When your clients are having issues are they stationary & connected to a docking station? Maybe try updating both the laptop firmware (drivers) as well as drivers of the docking station itself?
