Global Protect time out - automatic reconnect attempt?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect time out - automatic reconnect attempt?

L0 Member

We're experiencing this with Windows and OSX clients.

The user connects on Monday, tunnel times out after 24 hours.

User doesn't disconnect but lets the connection time out naturally.   Immediately after time out, they receive an attempt to re-auth even though they had not instigated a new connection.

This has resulted in some locked tokens and general confusion.


How do we prevent the client from attempting to reconnect automatically after the connection naturally terminates due to the 24 hour time out session setting?

Thanks.

15 REPLIES 15

L6 Presenter

Hi kk5555,

"Inactivity timer" may have been configured for 24 hours, hence after being inactive for 24 hours user is disconnected.

Or, by mistake you may have configured "Login Life Time" timer as 24 hours, which means every user will be logged out in 24 hours. Please verify these settings as mentioned bellow.

If yes, configure these values for higher number.

Global_Protect.png

After logout, there might be interesting traffic which is causing re-login of global protect. If you fix above issue

Regards,

Hardik Shah

Hardik,

Thank you for your prompt reply but that's not actually the situation:

Login Lifetime IS set for 24 hours because we don't want users to stay connected permanently by policy; we want the longest duration VPN connection to be 24 hours.   We don't want ON-DEMAND to attempt a reconnect immediately after those 24 hours expire, is that not avoidable and the only answer is to give a longer login lifetime?   If so, how do we ensure the maximum VPN session is 24 hours?

Inactivity Logout is currently set for 4 hours.   Should that be reduced?

Hi Kk555,

Inactivity logout is of no use here. Its something triggers when user is inactivity. So if user is inactive for 4 hours he will be logged off. Its of no use to have higher value than "Login Life" because after 24 hours anyways user will be logout.

In this situation there are only two solutions.

1. Configure On-Demand mode

2. Or Increase Login Life time value.

It seems you are not good with 1st option hence try 2nd option.

Regards,

Hardik Shah

We are already configured for On-Demand.

The issue is that the user is immediately prompted for re-authentication after the Login Life expires.

We don't want them prompted without clicking connect.


Is that impossible to prevent?

Hi KK555,

With on-demand mode, GP client should not re-attempt to login. What is the GP version?

Regards,

Hardik Shah

Hardik,

We're on 1.2.10 - OSX and Windows.  Experiencing the same issue with both operating systems.

We experienced this issue with previous versions as well.

Thank you for your help!

Hello KK555,

Could you please let me know, if you have marked the check box that says "remember me" in the GP client - if so, could you please uncheck that option and let us know the result.

GP-remember-me.jpg

Thanks

A discussion thread on this forum, for your reference: Re: Global Protect Client not always prompting for credentials

Thanks

Hello kk555,

I know there were some issues with on-demand till 2.2.0. Hence it would be worth try with 2.4.0. In between I will do some more analysis and get back to you.

Regards,

Hardik Shah

Hello kk555,

There was a issue in 2.2.0 where client re-authenticates despite of running in on-demand mode. Try in 2.4.0, let me know if it helps.

If now, I will have to do further investigation.

Regards,

Hardik Shah

Ok, I'll turn up 2.4.0 on a few test clients and see if it continues and will watch this thread for further information.


Thank you

Thanks, kk555, thats a good idea.

Ok, I have two clients on 2.0.4, one windows and one mac.

They're both still exhibiting the same problem: once the 24 hour session "times out", they attempt to reconnect and cause a re-authentication instance to occur.

So that did not fix the problem.

Hi KK555,

I am pretty sure if device goes to sleep/Hibernate mode or if user manually dis-connect, then GP shouldnt try to re-connect in on-demand mode.

I would suggest you to open a TAC case. Because this can be expected behavior that after "Login Lifetime" it tries to reconnect.

TAC Engineer should be able to confirm the same.

Regards,

Hardik Shah

  • 9943 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!