GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect Client Loses User-IP Mapping Entry after about 2 minutes

L1 Bithead

Hello all,

I use 6.1.3 ver. soft on fw and GP client 2.2.0 ver.

I establish vpn tunel (ssl) and everything is ok, I can access to internal resources, unfortunately only in 2 minutes.

After it, user-ip-mapping entry loses user:

# show user ip-user-mapping all type GP

IP                            Vsys   From    User        IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

192.168.98.11   vsys1  GP        marcin                   2591980        2591980     

Total: 1 users

!!! after about 2 minutes:

# show user ip-user-mapping all type GP

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

Total: 0 users

# I use security policy with known-user:

VPN-MG-PALO {

      from vpn-mg-palo;

      to [ dmz inside];

      source 192.168.98.0/24;

      destination any;

      source-user known-user;

      category any;

      application any;

      service any;

      hip-profiles any;

      action allow;

      tag vpn-mg-palo;

      log-start yes;

      log-end no;

      log-setting LogServer-traffic;

Thanks for your answer.

Regards,

Marcin

1 accepted solution

Accepted Solutions

Marcin

Can you check the time on the two firewalls?

View solution in original post

12 REPLIES 12

L4 Transporter

Marcin

Can you paste the output of these two commands when this issue happens? Also check on the client side to make sure the tunnel is still up:

- show user ip-user-mapping-mp all type GP

- show global-protect-gateway current-user user marcin

Amjad

L4 Transporter

Hi Marcin

I'm using same PAN OS and same GP client - but I didnt get such problems...

What kind of user-id are You using (agent/agentless)?

Witd AD or other source  of users?

What system (Windows/MAC)?

Regards

SLawek

Hi Amjad,

result of two commands are below: 

show user ip-user-mapping-mp all type GP

IP                        Vsys   From    User                             Timeout (sec)  

--------------- ------ ------- -------------------------------- ----------------

192.168.98.11   vsys1  GP      marcin                   2591989

Total: 1 users

*: WMI probe succeeded

show global-protect-gateway current-user user marcin

GlobalProtect Gateway: gw1 (1 users)

Tunnel Name          : gw1-N

        Domain-User Name          : \marcin

        Computer                  : lap

        Client                    : Microsoft Windows 7 Professional Service Pack 1, 64-bit

        VPN Type                  : Device Level VPN

        Mobile ID                 :

        Private IP                : 192.168.98.11

        Public IP                 : <deleted>

        ESP                       : removed

        SSL                       : exist

        Login Time                : May.04 00:19:10

        Logout/Expiration         : Jun.03 00:19:10

        TTL                       : 2591961

        Inactivity TTL            : 10761

and after about two minutes:

show user ip-user-mapping-mp all type GP

IP              Vsys   From    User                             Timeout (sec)  

--------------- ------ ------- -------------------------------- ----------------

Total: 0 users

*: WMI probe succeeded

show global-protect-gateway current-user user marcin

GlobalProtect Gateway: gw1 (1 users)

Tunnel Name          : gw1-N

        Domain-User Name          : \marcin

        Computer                  : lap

        Client                    : Microsoft Windows 7 Professional Service Pack 1, 64-bit

        VPN Type                  : Device Level VPN

        Mobile ID                 :

        Private IP                : 192.168.98.11

        Public IP                 : <deleted>

        ESP                       : removed

        SSL                       : exist

        Login Time                : May.04 00:19:10

        Logout/Expiration         : Jun.03 00:19:10

        TTL                       : 2591862

        Inactivity TTL            : 10662

Tunnel is sitill up on the client side (GlobalProtect/Details : Tunnel - YES, Authenticated, Uptime...0

Marcin

Hi SLawek,

I use user-id agentless, ms ad user, and Windows/Mac OS,

and I see after two minutes:

show global-protect-gateway current-user

GlobalProtect Gateway: gw1 (1 users)

Tunnel Name          : gw1-N

        Domain-User Name          : \marcin

        Computer                  : MacBook-Pro-marcin

        Client                    : Apple Mac OS X 10.10.2

        VPN Type                  : Device Level VPN

        Mobile ID                 :

        Private IP                : 192.168.98.10

        Public IP                 : <deleted>

        ESP                       : removed

        SSL                       : exist

        Login Time                : May.04 00:43:43

        Logout/Expiration         : Jun.03 00:43:43

        TTL                       : 2591806

        Inactivity TTL            : 10606

show user ip-user-mapping-mp all type GP

IP              Vsys   From    User                             Timeout (sec)  

--------------- ------ ------- -------------------------------- ----------------

Total: 0 users

*: WMI probe succeeded

Marcin


Marcin

Are the Portal and Gateway on the same firewall? do you have single PA or HA pair?


Amjad

Portal&Gateway are on the same firewall in HA pair.

Regards,

Marcin

Hi Marcin

show global-protect-gateway current-user

GlobalProtect Gateway: gw1 (1 users)

Tunnel Name          : gw1-N

        Domain-User Name          : \marcin

                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ why the domain name field is

Did You followed this doc How to Configure Agentless User-ID ?

Regards

Slawek

Slawek,

I don't know Smiley Sad , but I connect normally using MS AD credentials.

rgrds,

marcin

Hi

Myabe someone who is using agentless user-id could confirm that in output show global-protect-gateway current-user

should has domain name before \user, something like: Domain-User Name          : XXXXXXXXXX\marcin


another thing, please give us output from

show user ip-user-mapping all

Regards

SLawek

show user ip-user-mapping all

IP          Vsys   FromUser                         IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

<deleted> vsys1  Unknown unknown                      1          4      
10.100.128.77   vsys1  AD  sinus\user_a         1432       1432   
10.100.103.25   vsys1  AD  sinus\user_b             1250       1250    

...

...

ok, we see domain name before user but type is AD.

rgrds,

marcin

Marcin

Can you check the time on the two firewalls?

Hi Amjad,

on the second firewall (node2) time was unsynchronized, i fixed it,

and seems to me it was it.

Thank you very much for your help Smiley Happy


Regards,

Marcin

  • 1 accepted solution
  • 9643 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!