01-18-2013 06:43 AM
Hello.
We're having problems with user mapping for GlobalProtect users.
In this case there are 2 users connected to PA device, yet mapping isn't working for either of them: (IPs and names deleted from output)
astec@fw1(active)> show global-protect-gateway current-user
GlobalProtect Gateway: vpn.xyz.si (2 users)
Tunnel Name : vpn.xyz.si-N
Domain-User Name : :user1
Computer :
Client : Microsoft Windows 7 Professional, 32-bit
Private IP :
Public IP :
ESP : exist
SSL : none
Login Time : Jan.18 14:16:52
Logout/Expiration : Jan.19 14:16:52
TTL : 82156
Inactivity TTL : 2956
Domain-User Name : :user2
Computer :
Client : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit
Private IP :
Public IP :
ESP : exist
SSL : none
Login Time : Jan.18 14:32:23
Logout/Expiration : Jan.19 14:32:23
TTL : 83088
Inactivity TTL : 3949
astec@fw1(active)>
astec@fw1(active)> show user ip-user-mapping all type GP
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
Total: 0 users
astec@fw1(active)>
We have "Enable User Identification" enabled on both security zones: the one from where GP connections are originating (internet) and the one which is used for GP tunnel (vpn-clients).
Pan-OS version is 5.0.1, we're also using (agent-less) AD user mapping which is working fine.
On the above output I notice that tunnel name is vpn.xyz.si-N while we're using tunnel interface tunnel.1 in our configuration. I can't find vpn.xyz.si-N tunnel listed under tunnel interfaces so I don't think it's associated with any security zone.
Can you please help us resolving this issue? Can you provide some info where did this new tunnel vpn.xyz.si-N come from?
Thanx!
Best regards,
Simon
01-29-2013 03:33 PM
Where you configured your GP Gateway, look there and the name for the GP Gateway is probably vpn.xyz.si-N
In the lab here we have the following output
admin@PA-200> show global-protect-gateway current-user
GlobalProtect Gateway: GP_2connect (0 users)
Tunnel Name : GP_2connect
notice the Tunnel Name comes from what I've called the Gateway: Tab>>Network>>Global Protect Gateway as shown below:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
