Global Protect, 1 Portal - 2 gateways - AlwaysOn users don't disconnect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect, 1 Portal - 2 gateways - AlwaysOn users don't disconnect

L1 Bithead

We run a Solarwinds script to count panGPGWUtilizationActiveTunnels from each of our active gateways (2 different firewalls).  Currently we have 900 Global Protect clients installed, but there are 1,355 active tunnels due to the fact that we use Always-On with a Login Lifetime of 5 days.  Essentially, if a user connects to gateway A, then disconnects for any reason, and then connects to gateway B, the first connection on gateway A remains for 5 days and is in essence, double counted in the Solarwinds report.  Is anyone else having this issue??  It seems that the portal would be smart enough to know that there was a session at gateway A and send the user back there....or better yet, Palo Alto and all it's sophistication, could give me a reliable count as to how many actual active users are connected to my firewalls.

 

Any ideas would be appreciated.

1 accepted solution

Accepted Solutions

@mwunder , hi. No problem...  

i’m not sure i can give the exact reasons behind the settings but yes they are within the area of gateway agent connection settings.

 

i use...

 

login lifetime 12 hours

inactivity timeout 2 hours

disconnect on idle 180 minutes

 

we do have gateway license that covers HIP but even the login lifetime of 12 hours will make your stats more accurate.

 

not sure why it would be set to 5 days,  ...   perhaps ok for a branch office but do your users never sleep...

 

the help file is not much use...

 

 

 

 

 

 

View solution in original post

4 REPLIES 4

L7 Applicator

We did have a similar issue with PRTG monitoring and with over 5k users this also gave ridiculous connection stats...  we just reduced the gateway idle timeout to 2 hours as we do not need to know the exact number of connections, just approx for monitoring. 

 

There are many calls logged regarding duplicate user connections and am pretty sure someone has it as a feature release somewhere...

 

HTH.

 

Mick.

Thanks for the response Mick.  Are you talking about the Gateway > Agent > Connection Settings > Inactivity Logout?  If so, are you using HIP checks with the GlobalProtect Gateway license?  I believe I messed with this setting but since I'm not using HIP checks, All clients were getting disconnected after 12 hours (I believe that's what I set it to at the time).  If you're not using the GP Gateway license and HIP checks, maybe this is a direction for me to start looking.

 

Thanks for the lead!

@mwunder , hi. No problem...  

i’m not sure i can give the exact reasons behind the settings but yes they are within the area of gateway agent connection settings.

 

i use...

 

login lifetime 12 hours

inactivity timeout 2 hours

disconnect on idle 180 minutes

 

we do have gateway license that covers HIP but even the login lifetime of 12 hours will make your stats more accurate.

 

not sure why it would be set to 5 days,  ...   perhaps ok for a branch office but do your users never sleep...

 

the help file is not much use...

 

 

 

 

 

 

@Mick_Ball 

 

New to Always-On I guess.  The management decision was made to allow the user to remain connected for forever, thus the settings being so long.  I am going to bump down to 14 hours and 2 hours.  The inactivity timer means nothing when the connect method is Always-On, so I'm not going to touch that one.

 

Thanks again for leading me down the path.  I forgot that I had turned off HIP check when I noticed that it was booting active sessions, but what I missed at the time was that I was blocking those sessions as seen here: https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-err-http2-inadequate-transport-se...

 

 

  • 1 accepted solution
  • 4595 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!