I have a question regarding Pre-Logon and then on demand.
A client has reported they have setup pre-logon tunnel rename timeout to 90 secs. After the client logs in, the GP client goes into a disconnecting state and never times out. Client has to select refresh connection to resolve the issue, and then login manually.
I have tested in our lab and get the below results:
My understanding is that prelogin uses a machine certificate to auth to the network, to establish a connection for troubleshooting/password expirations, etc. After a person logs in, I would expect the pre-login to terminate and then the user would manually connect to the VPN. I am not in agreement that after the pre-logon expires that the user must manually connect.
I am not sure why there is a use case for manipulating the timer.. your 0 to 20 secs sounds more realistic/reasonable for the feature set that PANW created... boot a machine up... prelogin vpn created, user logs on... vpn terminates until user creates their vpn again. What is the use case for needing to change any time out settings (just want to learn/expand my knowledge. :P)
How long does it take for your login process to actually complete? If it's over the specified Pre-Login Tunnel Rename Timeout then I would expect to see it disconnect until the user connects. One the user authenticates on a Windows machine the tunnel just gets renamed as long as the Tunnel Rename Timeout hasn't been met. On a macOS endpoint the tunnel is torn down and re-created with the user credentials.
Have you taken a look at the PanGPS log on the client end to see what the logs are stating the disconnect reason is? That's the first place I would take a look to see why your entering that disconnected state.
@BPry OK so what I am seeing in my lab seems to be correct, as per the below:
If the tunnel rename timeout timer expires during the login process, the pre-logon tunnel is terminated and I then need to manually connect via the GP agent.
If the tunnel rename timeout timer does not expire during the login process, pre-logon tunnel is just renamed to the logged in user and the VPN connection stays connected.
Is that correct?
The logs show the tunnel disconnecting due to the grace period expiring (see below).
(P5124-T11096)Debug(11056): 03/31/22 12:37:37:469 CPanMSService::Disconnect(): reason is Grace period expires, do not set network discover event for on-demand mode.
(P5124-T11096)Debug(7068): 03/31/22 12:37:37:469 --Set state to Disconnected
(P5124-T11096)Dump (1020): 03/31/22 12:37:37:469 status is Disconnected
Client is saying that even though it disconnects here, they can not just go to the agent and click connect. They need to navigate to the hamburger menu and select refresh connection first and then click connect. I am not experiencing this issue in the lab.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!