01-26-2021 02:44 PM
I wanted to see if I can get some help with some session termination problems that I am experiencing for Global Protect users. Our remote users connect to an on-prem ERP systems through telnet, tcp/23. I recognize that this protocol has inherited performance and security problems, but unfortunately that's what we are given to work with. The bottom line is that Global Protect users get kicked off from telnet sessions constantly. Prisma Access is connected through a service connection to our on-prem Sonicwall firewall, where the ERP system lives.
To remediate these telnet issues, I have created an application override policy and attached a custom app-id with max TCP timeouts for tcp/23. This is getting applied to all Global Protect users. I have also increased the TCP timeouts in the Sonicwall firewall. However, users are getting kicked off the session while they are idle. The telnet server is designed to not kick off users for a long period of time, regardless if they're active or not.
I know that the app-id override with max TCP timeouts is working well because that same app override policy fixed the same session kick off issues that we were experiencing for some other users connecting from azure to the same on-prem ERP server.
I have collected some packet capture from the sonicwall firewall and from my computer, and every time I inspect the packets, I see that my Global Protect client is sending TCP Reset requests to the server. I also show in Cortex logs that the reason for the disconnect was client side. I am not sure as to why Global Protect would reset the telnet session all of a sudden.
I wanted to check if anyone else in community has experienced the same issue. Any thoughts would be appreciated!
01-28-2021 02:49 AM
Hi @CCullhaj ,
Have you checked the GP client logs (on debug level) at the time of disconnects ?
Just thinking out loud here ... some timed event (for example HIP check occurs every hour by default) or some other event that correlates with the disconnects that could help us further with the investigation ?
Regards,
-Kiwi.
03-26-2021 07:19 AM
Sorry for the late reply @kiwi ... the bottom line of this problem is that the sonicwall firewall needed constant attention because the policy rule that increased TCP timeouts, somehow every 2 weeks or so would become sort of inactive. Every time I increased the TCP time out on that sonicwall rule, users would stop complaining for 2 weeks and then the same story would happen over and over again.
We replaced the sonicwall with a PA firewall and I followed this guide to increase the timeout for telnet TCP/23: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/app-id/service-based-session-timeouts.html
It has been working like a charm up to now.
03-26-2021 12:27 PM
Have you checked if it is not just the global protect app timeout as the telnet is in the vpn tunnel but the VPN tunnel also has timeout?
Also I had issues because of a bad network as the global protect app checks by icmp if the gateway is reachable so check the PanGps.log logs on the client device as it was already mentioned:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPgZCAW
As you mentioned the session drop reason is tcp client rst but I always check the global counters for a source and destination just in case to confirm that it is not the firewall:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPgZCAW
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
