Global Protect Users Experiencing Telnet Disconnects

L0 Member

Global Protect Users Experiencing Telnet Disconnects

I wanted to see if I can get some help with some session termination problems that I am experiencing for Global Protect users. Our remote users connect to an on-prem ERP systems through telnet, tcp/23.  I recognize that this protocol has inherited performance and security problems, but unfortunately that's what we are given to work with.  The bottom line is that Global Protect users get kicked off from telnet sessions constantly.  Prisma Access is connected through a service connection to our on-prem Sonicwall firewall, where the ERP system lives.


To remediate these telnet issues, I have created an application override policy and attached a custom app-id with max TCP timeouts for tcp/23.  This is getting applied to all Global Protect users.  I have also increased the TCP timeouts in the Sonicwall firewall.  However, users are getting kicked off the session while they are idle.  The telnet server is designed to not kick off users for a long period of time, regardless if they're active or not.


I know that the app-id override with max TCP timeouts is working well because that same app override policy fixed the same session kick off issues that we were experiencing for some other users connecting from azure to the same on-prem ERP server.


I have collected some packet capture from the sonicwall firewall and from my computer, and every time I inspect the packets, I see that my Global Protect client is sending TCP Reset requests to the server.  I also show in Cortex logs that the reason for the disconnect was client side.  I am not sure as to why Global Protect would reset the telnet session all of a sudden.  


I wanted to check if anyone else in community has experienced the same issue.  Any thoughts would be appreciated!

Community Team Member

Hi @CCullhaj ,


Have you checked the GP client logs (on debug level) at the time of disconnects ?


Just thinking out loud here ... some timed event (for example HIP check occurs every hour by default) or some other event that correlates with the disconnects that could help us further with the investigation ?




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!