Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-02-2015 03:28 AM
Hello all,
I use 6.1.3 ver. soft on fw and GP client 2.2.0 ver.
I establish vpn tunel (ssl) and everything is ok, I can access to internal resources, unfortunately only in 2 minutes.
After it, user-ip-mapping entry loses user:
# show user ip-user-mapping all type GP
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
192.168.98.11 vsys1 GP marcin 2591980 2591980
Total: 1 users
!!! after about 2 minutes:
# show user ip-user-mapping all type GP
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
Total: 0 users
# I use security policy with known-user:
VPN-MG-PALO {
from vpn-mg-palo;
to [ dmz inside];
source 192.168.98.0/24;
destination any;
source-user known-user;
category any;
application any;
service any;
hip-profiles any;
action allow;
tag vpn-mg-palo;
log-start yes;
log-end no;
log-setting LogServer-traffic;
Thanks for your answer.
Regards,
Marcin
05-02-2015 07:52 AM
Marcin
Can you paste the output of these two commands when this issue happens? Also check on the client side to make sure the tunnel is still up:
- show user ip-user-mapping-mp all type GP
- show global-protect-gateway current-user user marcin
Amjad
05-02-2015 09:54 AM
Hi Marcin
I'm using same PAN OS and same GP client - but I didnt get such problems...
What kind of user-id are You using (agent/agentless)?
Witd AD or other source of users?
What system (Windows/MAC)?
Regards
SLawek
05-03-2015 03:31 PM
Hi Amjad,
result of two commands are below:
show user ip-user-mapping-mp all type GP
IP Vsys From User Timeout (sec)
--------------- ------ ------- -------------------------------- ----------------
192.168.98.11 vsys1 GP marcin 2591989
Total: 1 users
*: WMI probe succeeded
show global-protect-gateway current-user user marcin
GlobalProtect Gateway: gw1 (1 users)
Tunnel Name : gw1-N
Domain-User Name : \marcin
Computer : lap
Client : Microsoft Windows 7 Professional Service Pack 1, 64-bit
VPN Type : Device Level VPN
Mobile ID :
Private IP : 192.168.98.11
Public IP : <deleted>
ESP : removed
SSL : exist
Login Time : May.04 00:19:10
Logout/Expiration : Jun.03 00:19:10
TTL : 2591961
Inactivity TTL : 10761
and after about two minutes:
show user ip-user-mapping-mp all type GP
IP Vsys From User Timeout (sec)
--------------- ------ ------- -------------------------------- ----------------
Total: 0 users
*: WMI probe succeeded
show global-protect-gateway current-user user marcin
GlobalProtect Gateway: gw1 (1 users)
Tunnel Name : gw1-N
Domain-User Name : \marcin
Computer : lap
Client : Microsoft Windows 7 Professional Service Pack 1, 64-bit
VPN Type : Device Level VPN
Mobile ID :
Private IP : 192.168.98.11
Public IP : <deleted>
ESP : removed
SSL : exist
Login Time : May.04 00:19:10
Logout/Expiration : Jun.03 00:19:10
TTL : 2591862
Inactivity TTL : 10662
Tunnel is sitill up on the client side (GlobalProtect/Details : Tunnel - YES, Authenticated, Uptime...0
Marcin
05-03-2015 03:52 PM
Hi SLawek,
I use user-id agentless, ms ad user, and Windows/Mac OS,
and I see after two minutes:
show global-protect-gateway current-user
GlobalProtect Gateway: gw1 (1 users)
Tunnel Name : gw1-N
Domain-User Name : \marcin
Computer : MacBook-Pro-marcin
Client : Apple Mac OS X 10.10.2
VPN Type : Device Level VPN
Mobile ID :
Private IP : 192.168.98.10
Public IP : <deleted>
ESP : removed
SSL : exist
Login Time : May.04 00:43:43
Logout/Expiration : Jun.03 00:43:43
TTL : 2591806
Inactivity TTL : 10606
show user ip-user-mapping-mp all type GP
IP Vsys From User Timeout (sec)
--------------- ------ ------- -------------------------------- ----------------
Total: 0 users
*: WMI probe succeeded
Marcin
05-03-2015 04:40 PM
Marcin
Are the Portal and Gateway on the same firewall? do you have single PA or HA pair?
Amjad
05-03-2015 11:18 PM
Portal&Gateway are on the same firewall in HA pair.
Regards,
Marcin
05-03-2015 11:29 PM
Hi Marcin
show global-protect-gateway current-user
GlobalProtect Gateway: gw1 (1 users)
Tunnel Name : gw1-N
Domain-User Name : \marcin
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ why the domain name field is
Did You followed this doc How to Configure Agentless User-ID ?
Regards
Slawek
05-04-2015 04:33 AM
Slawek,
I don't know 
, but I connect normally using MS AD credentials.
rgrds,
marcin
05-04-2015 04:47 AM
Hi
Myabe someone who is using agentless user-id could confirm that in output show global-protect-gateway current-user
should has domain name before \user, something like: Domain-User Name : XXXXXXXXXX\marcin
another thing, please give us output from
show user ip-user-mapping all
Regards
SLawek
05-04-2015 05:19 AM
show user ip-user-mapping all
| IP | Vsys From | User | IdleTimeout(s) MaxTimeout(s) |
--------------- ------ ------- -------------------------------- -------------- -------------
| <deleted> | vsys1 Unknown unknown | 1 | 4 | |
| 10.100.128.77 vsys1 AD | sinus\user_a | 1432 | 1432 | |
| 10.100.103.25 vsys1 AD | sinus\user_b | 1250 | 1250 |
...
...
ok, we see domain name before user but type is AD.
rgrds,
marcin
05-06-2015 02:27 PM
Hi Amjad,
on the second firewall (node2) time was unsynchronized, i fixed it,
and seems to me it was it.
Thank you very much for your help 
Regards,
Marcin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
