We're experiencing this with Windows and OSX clients.
The user connects on Monday, tunnel times out after 24 hours.
User doesn't disconnect but lets the connection time out naturally. Immediately after time out, they receive an attempt to re-auth even though they had not instigated a new connection.
This has resulted in some locked tokens and general confusion.
How do we prevent the client from attempting to reconnect automatically after the connection naturally terminates due to the 24 hour time out session setting?
"Inactivity timer" may have been configured for 24 hours, hence after being inactive for 24 hours user is disconnected.
Or, by mistake you may have configured "Login Life Time" timer as 24 hours, which means every user will be logged out in 24 hours. Please verify these settings as mentioned bellow.
If yes, configure these values for higher number.
After logout, there might be interesting traffic which is causing re-login of global protect. If you fix above issue
Thank you for your prompt reply but that's not actually the situation:
Login Lifetime IS set for 24 hours because we don't want users to stay connected permanently by policy; we want the longest duration VPN connection to be 24 hours. We don't want ON-DEMAND to attempt a reconnect immediately after those 24 hours expire, is that not avoidable and the only answer is to give a longer login lifetime? If so, how do we ensure the maximum VPN session is 24 hours?
Inactivity Logout is currently set for 4 hours. Should that be reduced?
Inactivity logout is of no use here. Its something triggers when user is inactivity. So if user is inactive for 4 hours he will be logged off. Its of no use to have higher value than "Login Life" because after 24 hours anyways user will be logout.
In this situation there are only two solutions.
1. Configure On-Demand mode
2. Or Increase Login Life time value.
It seems you are not good with 1st option hence try 2nd option.
I am pretty sure if device goes to sleep/Hibernate mode or if user manually dis-connect, then GP shouldnt try to re-connect in on-demand mode.
I would suggest you to open a TAC case. Because this can be expected behavior that after "Login Lifetime" it tries to reconnect.
TAC Engineer should be able to confirm the same.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!