This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Pre Logon then On Demand

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Pre Logon then On Demand

Ben-Price
L4 Transporter

‎04-04-2022 05:22 PM

Hi All,

 

I have a question regarding Pre-Logon and then on demand.

 

A client has reported they have setup pre-logon tunnel rename timeout to 90 secs. After the client logs in, the GP client goes into a disconnecting state and never times out. Client has to select refresh connection to resolve the issue, and then login manually. 

 

I have tested in our lab and get the below results:

 

When the pre-tunnel timeout is set to 90 seconds in our lab the tunnel stays connected through client login, is then renamed to user mode and stays connected, no manual login required. If I change the tunnel timeout to a value between 0 - 20 secs, the pre-logon tunnel is terminated as the user logs in and then the user has to login to GP manually.
 
I'm testing with:
 
PAN OS 9.1.11-h3 as 9.1.11 is not longer available.
 
GP 5.2.11-10
 
Client testing with: 
 
PAN OS 9.1.11
 
GP 5.2.11-10
 
What is the expected behavior here?
 
My understanding is that if I set a value between 0 - 600 secs for the pre-logon tunnel timeout, the pre logon tunnel will stay connected for that time, and once that time expires the tunnel is terminated and the client needs to login manually.
 
Any insight would be greatly appreciated. 
 
 
 
0 Likes Likes
3 REPLIES 3

SteveCantwell
Cyber Elite
Cyber Elite

‎04-05-2022 12:59 PM

Hello

My understanding is that prelogin  uses a machine certificate to auth to the network, to establish a connection for troubleshooting/password expirations, etc.   After a person logs in, I would expect the pre-login to terminate and then the user would manually connect to the VPN.   I am not in agreement that after the pre-logon expires that the user must manually connect. 

I am not sure why there is a use case for manipulating the timer.. your 0 to 20 secs sounds more realistic/reasonable for the feature set that PANW created... boot a machine up... prelogin vpn created, user logs on... vpn terminates until user creates their vpn again.  What is the use case for needing to change any time out settings (just want to learn/expand my knowledge. :P)

Help the community: Like helpful comments and mark solutions
0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎04-05-2022 01:07 PM

@Ben-Price,

How long does it take for your login process to actually complete? If it's over the specified Pre-Login Tunnel Rename Timeout then I would expect to see it disconnect until the user connects. One the user authenticates on a Windows machine the tunnel just gets renamed as long as the Tunnel Rename Timeout hasn't been met. On a macOS endpoint the tunnel is torn down and re-created with the user credentials.

 

Have you taken a look at the PanGPS log on the client end to see what the logs are stating the disconnect reason is? That's the first place I would take a look to see why your entering that disconnected state.

0 Likes Likes

Ben-Price
L4 Transporter

‎04-05-2022 05:53 PM

@BPry OK so what I am seeing in my lab seems to be correct, as per the below:

 

If the tunnel rename timeout timer expires during the login process, the pre-logon tunnel is terminated and I then need to manually connect via the GP agent. 

 

If the tunnel rename timeout timer does not expire during the login process, pre-logon tunnel is just renamed to the logged in user and the VPN connection stays connected.

 

Is that correct?

 

The logs show the tunnel disconnecting due to the grace period expiring (see below).

 

(P5124-T11096)Debug(11056): 03/31/22 12:37:37:469 CPanMSService::Disconnect(): reason is Grace period expires, do not set network discover event for on-demand mode.
(P5124-T11096)Debug(7068): 03/31/22 12:37:37:469 --Set state to Disconnected
(P5124-T11096)Dump (1020): 03/31/22 12:37:37:469 status is Disconnected

 

Client is saying that even though it disconnects here, they can not just go to the agent and click connect. They need to navigate to the hamburger menu and select refresh connection first and then click connect. I am not experiencing this issue in the lab. 

 

 

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks