We're experiencing this with Windows and OSX clients.
The user connects on Monday, tunnel times out after 24 hours.
User doesn't disconnect but lets the connection time out naturally. Immediately after time out, they receive an attempt to re-auth even though they had not instigated a new connection.
This has resulted in some locked tokens and general confusion.
How do we prevent the client from attempting to reconnect automatically after the connection naturally terminates due to the 24 hour time out session setting?
"Inactivity timer" may have been configured for 24 hours, hence after being inactive for 24 hours user is disconnected.
Or, by mistake you may have configured "Login Life Time" timer as 24 hours, which means every user will be logged out in 24 hours. Please verify these settings as mentioned bellow.
If yes, configure these values for higher number.
After logout, there might be interesting traffic which is causing re-login of global protect. If you fix above issue
Thank you for your prompt reply but that's not actually the situation:
Login Lifetime IS set for 24 hours because we don't want users to stay connected permanently by policy; we want the longest duration VPN connection to be 24 hours. We don't want ON-DEMAND to attempt a reconnect immediately after those 24 hours expire, is that not avoidable and the only answer is to give a longer login lifetime? If so, how do we ensure the maximum VPN session is 24 hours?
Inactivity Logout is currently set for 4 hours. Should that be reduced?
Inactivity logout is of no use here. Its something triggers when user is inactivity. So if user is inactive for 4 hours he will be logged off. Its of no use to have higher value than "Login Life" because after 24 hours anyways user will be logout.
In this situation there are only two solutions.
1. Configure On-Demand mode
2. Or Increase Login Life time value.
It seems you are not good with 1st option hence try 2nd option.
We are already configured for On-Demand.
The issue is that the user is immediately prompted for re-authentication after the Login Life expires.
We don't want them prompted without clicking connect.
Is that impossible to prevent?
We're on 1.2.10 - OSX and Windows. Experiencing the same issue with both operating systems.
We experienced this issue with previous versions as well.
Thank you for your help!
Could you please let me know, if you have marked the check box that says "remember me" in the GP client - if so, could you please uncheck that option and let us know the result.
A discussion thread on this forum, for your reference: Re: Global Protect Client not always prompting for credentials
I know there were some issues with on-demand till 2.2.0. Hence it would be worth try with 2.4.0. In between I will do some more analysis and get back to you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!