User mapping - IdleTimout and MaxTimeout architecture with GlobalProtect only (no User ID agents)

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
robinheylen
L0 Member

User mapping - IdleTimout and MaxTimeout architecture with GlobalProtect only (no User ID agents)

We have a setup for up to 2.000 employees. Every employee has the GlobalProtect installed, but we are not using any User ID agent.

We have only one portal configured, for both internal and external (vpn) connections.

  • On both gateways (internal and external), we have configured the client tab with a Login Lifetime to 7 days and the Inactivity Logout set to 2 hours.

If I run a "show user ip-user-mapping all" on CLI, I notice that users get an initial IdleTimeout and MaxTimeout of 10800 seconds ( 3 hours ).

Both timers (IdleTimeout and MaxTimeout) are counting down for approximately 1 hour to 7200 seconds and are than reset to 10800 seconds.

My question are:

  • where does the 10800 seconds ( 3 hours ) come from? Where is it set? I thaught it should be 2 hours (as configured on the gateway)
  • why does he counts down for 1 hour and is than resetted? Where is this setting located?
  • What is the difference between IdleTimeout and MaxTimeout?
  • We notice that remote users sometimes get a strange Timeout of 500000 and more/less. Sometimes the 10800 seconds are used. How comes? Is this a bug? (see CLI output below) (for security reasons I replaced the ip's to INT and EXT ip's and the users to someuser)

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

x.x.EXT.IP      vsys1  GP      domain\someuser                    456822         456822

x.x.INT.IP     vsys1  GP      domain\someuser                     9801           9801

x.x.INT.IP      vsys1  GP      domain\someuser                      10749          10749

x.x.INT.IP      vsys1  GP      domain\someuser                       8055           8055

x.x.EXT.IP      vsys1  GP      domain\someuser                    9282           9282

x.x.INT.IP      vsys1  GP      domain\someuser                      8799           8799

x.x.INT.IP      vsys1  GP      domain\someuser                    7824           7824

x.x.EXT.IP     vsys1  GP      domain\someuser                    8610           8610

x.x.EXT.IP     vsys1  GP      domain\someuser                    9043           9043

x.x.EXT.IP      vsys1  GP      domain\someuser                    469428         469428

x.x.INT.IP      vsys1  GP      domain\someuser                    8891           8891

x.x.INT.IP      vsys1  GP      domain\someuser                     8608           8608

x.x.INT.IP     vsys1  GP      domain\someuser                      8140           8140

x.x.INT.IP     vsys1  GP      domain\someuser                    8759           8759

x.x.INT.IP      vsys1  GP      domain\someuser                     10732          10732

x.x.INT.IP      vsys1  GP      domain\someuser                     9247           9247

x.x.INT.IP      vsys1  GP      domain\someuser                    10234          10234

x.x.INT.IP     vsys1  GP      domain\someuser                    9770           9770

x.x.INT.IP      vsys1  GP      domain\someuser                    8891           8891

x.x.INT.IP     vsys1  GP      domain\someuser                        9861           9861

x.x.INT.IP      vsys1  GP      pre-logon                        8006           8006

x.x.INT.IP      vsys1  GP      domain\someuser                    10597          10597

x.x.INT.IP      vsys1  GP      domain\someuser                    9325           9325

x.x.EXT.IP      vsys1  GP      domain\someuser                      469583         469583

x.x.INT.IP      vsys1  GP      domain\someuser                    10778          10778

x.x.EXT.IP      vsys1  GP      domain\someuser                    470808         470808

x.x.EXT.IP     vsys1  GP      domain\someuser                    9872           9872

x.x.INT.IP      vsys1  GP      domain\someuser                     8696           8696

x.x.INT.IP      vsys1  GP      domain\someuser                    9452           9452

x.x.INT.IP     vsys1  GP      domain\someuser                    9194           9194

x.x.INT.IP      vsys1  GP      domain\someuser                    8351           8351

x.x.INT.IP      vsys1  GP      domain\someuser                       8321           8321

x.x.INT.IP      vsys1  GP      pre-logon                        10790          10790

x.x.INT.IP      vsys1  GP      domain\someuser                    8707           8707

x.x.INT.IP      vsys1  GP      domain\someuser                      9649           9649

x.x.INT.IP      vsys1  GP      domain\someuser                    9454           9454


We are using PanOS 5.0.6 and GlobalProtect 1.2.4


Best regard

Ameya-Kawimandan
L5 Sessionator

3 hours is the Idle and Maximum Timeout Value for the a User identified by GP in the Dataplane (non-configurable).This timer is refreshed when the Gateway receives a HIP report check (Every Hour -not-configurable) message from the Client.

2 hours is the default Inactivity Timer to age out a User if the HIP check message is not received.Recommended to have it set to 3 hrs to allow atleast 2 refresh attempts for HIP check message.

There have been code fixes on OS-4.1.10 and OS-5.0.0 for the strange timeout displayed in the absence of Gateway License.

HTH

robinheylen
L0 Member

Thanx for the info Nadir !

Regarding the strange timeouts displayed, we have the Gateway Licence installed.

So it seems that the bug is still not fixed in 5.0.6 ?!?

Best regards,

Robin

Ameya-Kawimandan
L5 Sessionator

Please open a support case to report this issue.

As a workaround,I think Resubmission of Host Profile should correct the timeout being displayed

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!