Global Protect VPN disconnects on Windows while active

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect VPN disconnects on Windows while active

L1 Bithead

We are having an issue where Global Protect VPN on Windows 10 is disconnecting after 4 hours while it is still active.  We have the inactivity logout set to 4 hours.  Our Macs aren't having any issues.  The HIP log on both the mac and windows machines shows the check running successfully every hour.  We have ruled out sophos, windows defender, and crowdstrike as possibly blocking it. 

6 REPLIES 6

L2 Linker

Hi Jdoherty1103,

 

We are experiencing the same thing and it does appear that this setting is somehow involved in our situation.

What we're also seeing is succesful HIP Checks in PANGPS log.

We assume that the HIP check is performed properly (based on the events in the PanGPS log), but somehow with the 'wrong firewall/gateway'.

According to the description of the inactivity logout value, it is triggered by not receiving HIP checks within the given amount of time.

Next to that we also witnessed keepalive timeouts happening at the inactivity logout value.

We suspect this happens because of the inactivity logout threshold is triggered. The gateway thinks it did not receive HIP checks, starts sending keepalives.

Now this is a point where we don't fully understand what's happening. When the gateway does send a keepalive according to the capture, nothing comes back. Regardless of the suggestion that the HIPS check would indeed be sent to the other firewall. Why would any client not reply to a mere keepalive (once every 10secondes, for 50 seconds).

 

Are you using an active/active firewall setup?

If you'd change the inactivity logout value to 10-12 hours as a workaround for not having disconnects until the root cause/solution is found.

 

Currently we have a case open with TAC

L0 Member

I have several remote users that we have recently hired on to our company. We use the Palo Alto GlobalProtect VPN client for remote users. We do not have any SSO set up so everything is Windows Credential based krogerfeedback

@KlaverbladIf you could let me know what TAC comes up with, it would be greatly appreciated.

Its confirmed to be a bug:

To be fixed in: PAN-151458 (A/A GP Gateway Inactivity Logout timer not Recognizing HIP and Disconnecting).

This fix is not yet implemented nor will it be in 9.1.5. So we'll have to wait for at least 9.1.6.

 

In the meantime the workaround is to set the inactivity logout long enough so nobody will get disconnected because of this.

Typical workday = 9hours including brakes. So 10-11hrs ?

@KlaverbladThank you for the information!

L2 Linker

Hi Sarah,

 

The fix has been implemented in 9.1.7

  • 7144 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!