GlobalProtect user mapping not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect user mapping not working

L6 Presenter

Hello.

We're having problems with user mapping for GlobalProtect users.

In this case there are 2 users connected to PA device, yet mapping isn't working for either of them: (IPs and names deleted from output)

astec@fw1(active)> show global-protect-gateway current-user

GlobalProtect Gateway: vpn.xyz.si (2 users)

Tunnel Name          : vpn.xyz.si-N

        Domain-User Name          : :user1

        Computer                  :

        Client                    : Microsoft Windows 7 Professional, 32-bit

        Private IP                :

        Public IP                 :

        ESP                       : exist

        SSL                       : none

        Login Time                : Jan.18 14:16:52

        Logout/Expiration         : Jan.19 14:16:52

        TTL                       : 82156

        Inactivity TTL            : 2956

        Domain-User Name          : :user2

        Computer                  :

        Client                    : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit

        Private IP                :

        Public IP                 :

        ESP                       : exist

        SSL                       : none

        Login Time                : Jan.18 14:32:23

        Logout/Expiration         : Jan.19 14:32:23

        TTL                       : 83088

        Inactivity TTL            : 3949

astec@fw1(active)>

astec@fw1(active)> show user ip-user-mapping all type GP

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

Total: 0 users

astec@fw1(active)>

We have "Enable User Identification" enabled on both security zones: the one from where GP connections are originating (internet) and the one which is used for GP tunnel (vpn-clients).

Pan-OS version is 5.0.1, we're also using (agent-less) AD user mapping which is working fine.

On the above output I notice that tunnel name is vpn.xyz.si-N while we're using tunnel interface tunnel.1 in our configuration. I can't find vpn.xyz.si-N tunnel listed under tunnel interfaces so I don't think it's associated with any security zone.

Can you please help us resolving this issue? Can you provide some info where did this new tunnel vpn.xyz.si-N come from?

Thanx!

Best regards,

Simon

1 REPLY 1

L4 Transporter

Where you configured your GP Gateway, look there and the name for the GP Gateway is probably vpn.xyz.si-N

In the lab here we have the following output

admin@PA-200> show global-protect-gateway current-user

GlobalProtect Gateway: GP_2connect (0 users)

Tunnel Name          : GP_2connect

notice the Tunnel Name comes from what I've called the Gateway: Tab>>Network>>Global Protect Gateway as shown below:

GP.PNG

  • 3114 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!