- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-01-2020 07:20 PM
We run a Solarwinds script to count panGPGWUtilizationActiveTunnels from each of our active gateways (2 different firewalls). Currently we have 900 Global Protect clients installed, but there are 1,355 active tunnels due to the fact that we use Always-On with a Login Lifetime of 5 days. Essentially, if a user connects to gateway A, then disconnects for any reason, and then connects to gateway B, the first connection on gateway A remains for 5 days and is in essence, double counted in the Solarwinds report. Is anyone else having this issue?? It seems that the portal would be smart enough to know that there was a session at gateway A and send the user back there....or better yet, Palo Alto and all it's sophistication, could give me a reliable count as to how many actual active users are connected to my firewalls.
Any ideas would be appreciated.
06-03-2020 01:33 PM
@mwunder , hi. No problem...
i’m not sure i can give the exact reasons behind the settings but yes they are within the area of gateway agent connection settings.
i use...
login lifetime 12 hours
inactivity timeout 2 hours
disconnect on idle 180 minutes
we do have gateway license that covers HIP but even the login lifetime of 12 hours will make your stats more accurate.
not sure why it would be set to 5 days, ... perhaps ok for a branch office but do your users never sleep...
the help file is not much use...
06-03-2020 01:08 AM
We did have a similar issue with PRTG monitoring and with over 5k users this also gave ridiculous connection stats... we just reduced the gateway idle timeout to 2 hours as we do not need to know the exact number of connections, just approx for monitoring.
There are many calls logged regarding duplicate user connections and am pretty sure someone has it as a feature release somewhere...
HTH.
Mick.
06-03-2020 07:41 AM
Thanks for the response Mick. Are you talking about the Gateway > Agent > Connection Settings > Inactivity Logout? If so, are you using HIP checks with the GlobalProtect Gateway license? I believe I messed with this setting but since I'm not using HIP checks, All clients were getting disconnected after 12 hours (I believe that's what I set it to at the time). If you're not using the GP Gateway license and HIP checks, maybe this is a direction for me to start looking.
Thanks for the lead!
06-03-2020 01:33 PM
@mwunder , hi. No problem...
i’m not sure i can give the exact reasons behind the settings but yes they are within the area of gateway agent connection settings.
i use...
login lifetime 12 hours
inactivity timeout 2 hours
disconnect on idle 180 minutes
we do have gateway license that covers HIP but even the login lifetime of 12 hours will make your stats more accurate.
not sure why it would be set to 5 days, ... perhaps ok for a branch office but do your users never sleep...
the help file is not much use...
06-04-2020 11:22 AM
New to Always-On I guess. The management decision was made to allow the user to remain connected for forever, thus the settings being so long. I am going to bump down to 14 hours and 2 hours. The inactivity timer means nothing when the connect method is Always-On, so I'm not going to touch that one.
Thanks again for leading me down the path. I forgot that I had turned off HIP check when I noticed that it was booting active sessions, but what I missed at the time was that I was blocking those sessions as seen here: https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-err-http2-inadequate-transport-se...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!