problem on user time session timeout, only countdown

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

problem on user time session timeout, only countdown

L1 Bithead

Hi to all,

I'm new on PaloAlto PA-500 7.1 version.
I've searched on and I think I did not find my case.
Sorry if there is not and found it.

I have the wifi sessions (via AP aerohive) timeout all in countdown.

The users are in domain via LDAP and RADIUS.

The default time is 2700 seconds.
With CLI command 'show user ip-user-mapping ip' I can see all the information on residual time, device and user.
The initial time of 2700 seconds, run in countdown on every case.
The ip traffic does not stop or restart the timout.
The username switch to unknown.
When the time is over, the three KB cases restart session they do not work.
With the ip traffic, the state switch from 'No matching record' to 'Unknown' but the session does not work.
The only way to restart is off / on of wifi service on device.
After this, all work properly.
Is possible to refresh session timeout with ip traffic?
How can I troubleshooting?


Thanks in advance to all.

 

6 REPLIES 6

L7 Applicator

@aerspa, I wanted to let you know that you originally created this topic in the "Feedback Forum" instead of the "General Topics" area. Because of this, I have moved this discussion to allow everyone to see it.

 

Please be aware of this in the future.

 

Kind Regards,

Joe Delio

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Cyber Elite
Cyber Elite

@aerspa,

That's a tougher one since it involves a little bit more 'moving parts'. Some questions;

1) Do you have client probing enabled on these wireless devices at all?

2) Are the wireless devices domain joined or users personal machines?

3) Do your clients 'roam' between multiple APs or not really?

 

The firewall isn't going to reset the countdown on seeing traffic as it doesn't necessary mean that the same users is logged into the machine. Client probing can fix this as long as you have access to WMI on those machines. Consider moving your timeout up if you can't enable client probing, 2700 seconds means that they will only stay 'known' for 45 minutes and if the firewall can't probe to find the user then the user-id mapping is gong to be removed. I imagine that your fix is only working because it creates a log entry that your firewall can actually use.  

 

Thanks a lot Joe..

The access it does between two separate profile of use.

I have an access restricted that recognize the users via ldap and an access guest that not recognize user.

In first case I have the results of thread, in second case after 'show user ip-user-mapping ip' I don't receive any record.

1, I don't have probing enabled

2, both cases

3, yes, clients 'roam' between multiple AP...

 

Momentaneously I have increased the syslog time retain.

For computers on the domain I would really recommend probing so that the firewall can check what user is currently logged into the device, this will keep the user-id tied to the device. Some APs will actually reauth when the clients roam and you can pull the user-id from that, but it doesn't sount like your system does.

It sounds like you may want to look at Captive Portal and see if that would better suite your needs for your wireless users.

Thanks BPry,

the domain computer are not a problem.

The roaming are not possible because I have few of AP. In many location I have only one AP.

The Captive portal is not my elective solution due the complicated use with some business device.

 

I choose to increase the time at whole work day because all user renew their session daily, the availability of service is for 16 hours of day and if user move of the work seat it disconnect by renewing the session.

 

Thanks for you help and suggestions.

  • 3675 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!