Global Protect time out - automatic reconnect attempt?

Reply
Highlighted
L0 Member

Global Protect time out - automatic reconnect attempt?

We're experiencing this with Windows and OSX clients.

The user connects on Monday, tunnel times out after 24 hours.

User doesn't disconnect but lets the connection time out naturally.   Immediately after time out, they receive an attempt to re-auth even though they had not instigated a new connection.

This has resulted in some locked tokens and general confusion.


How do we prevent the client from attempting to reconnect automatically after the connection naturally terminates due to the 24 hour time out session setting?

Thanks.

Highlighted
L6 Presenter

Re: Global Protect time out - automatic reconnect attempt?

Hi kk5555,

"Inactivity timer" may have been configured for 24 hours, hence after being inactive for 24 hours user is disconnected.

Or, by mistake you may have configured "Login Life Time" timer as 24 hours, which means every user will be logged out in 24 hours. Please verify these settings as mentioned bellow.

If yes, configure these values for higher number.

Global_Protect.png

After logout, there might be interesting traffic which is causing re-login of global protect. If you fix above issue

Regards,

Hardik Shah

Highlighted
L0 Member

Re: Global Protect time out - automatic reconnect attempt?

Hardik,

Thank you for your prompt reply but that's not actually the situation:

Login Lifetime IS set for 24 hours because we don't want users to stay connected permanently by policy; we want the longest duration VPN connection to be 24 hours.   We don't want ON-DEMAND to attempt a reconnect immediately after those 24 hours expire, is that not avoidable and the only answer is to give a longer login lifetime?   If so, how do we ensure the maximum VPN session is 24 hours?

Inactivity Logout is currently set for 4 hours.   Should that be reduced?

Highlighted
L6 Presenter

Re: Global Protect time out - automatic reconnect attempt?

Hi Kk555,

Inactivity logout is of no use here. Its something triggers when user is inactivity. So if user is inactive for 4 hours he will be logged off. Its of no use to have higher value than "Login Life" because after 24 hours anyways user will be logout.

In this situation there are only two solutions.

1. Configure On-Demand mode

2. Or Increase Login Life time value.

It seems you are not good with 1st option hence try 2nd option.

Regards,

Hardik Shah

Highlighted
L0 Member

Re: Global Protect time out - automatic reconnect attempt?

We are already configured for On-Demand.

The issue is that the user is immediately prompted for re-authentication after the Login Life expires.

We don't want them prompted without clicking connect.


Is that impossible to prevent?

Highlighted
L6 Presenter

Re: Global Protect time out - automatic reconnect attempt?

Hi KK555,

With on-demand mode, GP client should not re-attempt to login. What is the GP version?

Regards,

Hardik Shah

Highlighted
L0 Member

Re: Global Protect time out - automatic reconnect attempt?

Hardik,

We're on 1.2.10 - OSX and Windows.  Experiencing the same issue with both operating systems.

We experienced this issue with previous versions as well.

Thank you for your help!

Highlighted
L7 Applicator

Re: Global Protect time out - automatic reconnect attempt?

Hello KK555,

Could you please let me know, if you have marked the check box that says "remember me" in the GP client - if so, could you please uncheck that option and let us know the result.

GP-remember-me.jpg

Thanks

Highlighted
L7 Applicator

Re: Global Protect time out - automatic reconnect attempt?

A discussion thread on this forum, for your reference: Re: Global Protect Client not always prompting for credentials

Thanks

Highlighted
L6 Presenter

Re: Global Protect time out - automatic reconnect attempt?

Hello kk555,

I know there were some issues with on-demand till 2.2.0. Hence it would be worth try with 2.4.0. In between I will do some more analysis and get back to you.

Regards,

Hardik Shah

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!