- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-04-2022 05:22 PM
Hi All,
I have a question regarding Pre-Logon and then on demand.
A client has reported they have setup pre-logon tunnel rename timeout to 90 secs. After the client logs in, the GP client goes into a disconnecting state and never times out. Client has to select refresh connection to resolve the issue, and then login manually.
I have tested in our lab and get the below results:
04-05-2022 12:59 PM
Hello
My understanding is that prelogin uses a machine certificate to auth to the network, to establish a connection for troubleshooting/password expirations, etc. After a person logs in, I would expect the pre-login to terminate and then the user would manually connect to the VPN. I am not in agreement that after the pre-logon expires that the user must manually connect.
I am not sure why there is a use case for manipulating the timer.. your 0 to 20 secs sounds more realistic/reasonable for the feature set that PANW created... boot a machine up... prelogin vpn created, user logs on... vpn terminates until user creates their vpn again. What is the use case for needing to change any time out settings (just want to learn/expand my knowledge. :P)
04-05-2022 01:07 PM
How long does it take for your login process to actually complete? If it's over the specified Pre-Login Tunnel Rename Timeout then I would expect to see it disconnect until the user connects. One the user authenticates on a Windows machine the tunnel just gets renamed as long as the Tunnel Rename Timeout hasn't been met. On a macOS endpoint the tunnel is torn down and re-created with the user credentials.
Have you taken a look at the PanGPS log on the client end to see what the logs are stating the disconnect reason is? That's the first place I would take a look to see why your entering that disconnected state.
04-05-2022 05:53 PM
@BPry OK so what I am seeing in my lab seems to be correct, as per the below:
If the tunnel rename timeout timer expires during the login process, the pre-logon tunnel is terminated and I then need to manually connect via the GP agent.
If the tunnel rename timeout timer does not expire during the login process, pre-logon tunnel is just renamed to the logged in user and the VPN connection stays connected.
Is that correct?
The logs show the tunnel disconnecting due to the grace period expiring (see below).
(P5124-T11096)Debug(11056): 03/31/22 12:37:37:469 CPanMSService::Disconnect(): reason is Grace period expires, do not set network discover event for on-demand mode.
(P5124-T11096)Debug(7068): 03/31/22 12:37:37:469 --Set state to Disconnected
(P5124-T11096)Dump (1020): 03/31/22 12:37:37:469 status is Disconnected
Client is saying that even though it disconnects here, they can not just go to the agent and click connect. They need to navigate to the hamburger menu and select refresh connection first and then click connect. I am not experiencing this issue in the lab.
03-14-2023 09:40 AM
Has anyone solved this issue. I have pre logon users experiencing the same errors. The Prelogon is successful, tunnel established and then a disconnect.
(P5132-T8412)Debug(5160): 03/14/23 08:36:19:041 Gateway, response to the hip report :
<response status="success">
<notification></notification>
</response>
(P5132-T8412)Info (5162): 03/14/23 08:36:19:041 sent HIP report to "gateway"
(P5132-T8412)Debug(5190): 03/14/23 08:36:19:041 Response status of HIP report is success, gateway
(P5132-T8412)Debug(5192): 03/14/23 08:36:19:041 Hip report returns success.
(P5132-T8412)Info (4956): 03/14/23 08:36:19:041 Got hip notification from gateway
(P5132-T8412)Debug(4964): 03/14/23 08:36:19:041 Hip notification is empty in the HIP report check response from gateway
(P5132-T8412)Debug(4977): 03/14/23 08:36:19:074 SSL is disconnected. Returns TRUE.
(P5132-T8412)Debug(1677): 03/14/23 08:36:19:074 SendHipReportToGateway returns TRUE.
(P5132-T8412)Info ( 991): 03/14/23 08:36:19:074 return without process!!!! socket=1372, os=14
(P5132-T8412)Debug(6333): 03/14/23 08:36:19:076 HipReportThread: wait for HIP report ready event.
(P5132-T7160)Debug(1134): 03/14/23 08:36:22:726 ipsec replay check failed: seq was received, replay_seq 2162, seq 2162
(P5132-T7160)Debug(1134): 03/14/23 08:36:23:728 ipsec replay check failed: seq was received, replay_seq 2198, seq 2198
(P5132-T5136)Debug( 348): 03/14/23 08:36:49:923 Received session change, event type 5, session 2
(P5132-T5136)Debug(1470): 03/14/23 08:36:49:923 Previous user count is 0
(P5132-T5136)Debug(1472): 03/14/23 08:36:49:923 First logon user.
(P5132-T5136)Debug(3641): 03/14/23 08:36:49:923 bDisabled 0, IsVPNConnected() 1, m_userName pre-logon
(P5132-T5136)Debug(3658): 03/14/23 08:36:49:923 Prelogon does not allow rename timeout
(P5132-T5136)Debug(1486): 03/14/23 08:36:49:923 First logon user not in grace period
(P5132-T5136)Debug(11057): 03/14/23 08:36:49:923 m_preUsername pre-logon
(P5132-T5136)Debug(1441): 03/14/23 08:36:49:923 m_msp->IsVPNConnected() is 1, CControlManager::GetInstance()->IsInRetry() is 0
(P5132-T5136)Debug(7095): 03/14/23 08:36:49:932 --Set state to Disconnecting...
(P5132-T5136)Info ( 991): 03/14/23 08:36:49:932 return without process!!!! socket=1372, os=14
(P5132-T5136)Info (2681): 03/14/23 08:36:49:932 Disconnect(First logon user not in grace period) called
03-14-2023 09:50 AM
I may have found my solution. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGW6CAM
will provide update if it worked.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!