02-20-2025 01:51 PM
We are working on a deployment of CyberArk for identity management. At this point our problems are not with integrating it for authentication with the Palo. Our problem is that the connectors for CyberArk in our datacenter are dropping connections when our Admins are using the RDP sessions.
CyberArk gave us some docs re: creating an application override which did not solve the problem. The disconnects are not at specific time intervals that we can discern. Sometimes they drop at 10 minutes, sometimes at 35, sometimes longer than an hour. Peculiar notes from the logs show that more than 75% of the TCP sessions going to our CyberArk vault are "Aging-Out" instead of closing properly.
My next step I guess is to grab some pcaps and see if I can see what's going on at the TCP level.
Anyone ever seen something like this before? I cant possibly be the only one with CyberArc running through a Palo.
02-21-2025 10:47 AM
Check if those sessions that end with "aged-out" are actually TCP sessions.
RDP uses both TCP and UDP port 3389 and it is expected for UDP to end with session end reason aged-out.
CyberArk uses both protocols to connect to backend devices.
03-04-2025 08:20 AM
Yup TCP and still aging out. The RDP happens in side an encrypted tunnel that connectors on-prem maintain.
03-05-2025 08:21 AM
I would take packet capture as next step to see what happens during session drop.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
