Which IP is Used for User-IP Mapping when Internal GlobalProtect is Configured and Multiple NIC Cards are Enabled?

Which IP is Used for User-IP Mapping when Internal GlobalProtect is Configured and Multiple NIC Cards are Enabled?

14786
Created On 09/25/18 19:48 PM - Last Modified 05/05/20 22:15 PM


Symptom
When Internal GlobalProtect is configured, there is no tunnel created. By design, GlobalProtect reports only one client IP when sending hip report to a non-tunnel gateway. This means the user mapping will map only one IP when multiple NICs are enabled at the same time, and that will be the IP through which traffic reaches the gateway. The GlobalProtect Client will look at the available route metric values and always select the route with the lowest metric for sending GlobalProtect Client events to the GlobalProtect Gateway.

Environment
  • Pan-OS
  • Globalprotect


Resolution

For example, a PC client has two NIC cards:

  • Physical NIC with IP 192.168.0.21
  • WiFi with IP192.168.0.19

 

In the following example, the user is connected to the Internal Global Protect through Wifi (IP=192.168.0.19):

The default route in the PC route table is as follows:

C:\Users\test>route print

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination     Netmask      Gateway         Interface         Metric

          0.0.0.0       0.0.0.0      192.168.0.2     192.168.0.19      25

 

The GlobalProtect users listing on the firewall shows that the user is connected with 192.168.0.19 and the user-IP mapping for the user "test" also shows 192.168.0.19:

> show global-protect-gateway current-user

GlobalProtect Gateway: GP_ext (0 users)

Tunnel Name          : GP_ext-N

 

GlobalProtect Gateway: GP_gateway (1 users)

Tunnel Name          : GP_gateway

        Domain-User Name          : :test

        Computer                  : EVERYDAYLAPTOP

        Client                    :

        Private IP                : 0.0.0.0

        Public IP                 : 192.168.0.19

        ESP                       : none

        SSL                       : none

        Login Time                : Sep.17 21:28:41

        Logout/Expiration         : Oct.17 21:28:41

        TTL                       : 2591896

Inactivity TTL            : 10696

 

> show user ip-user-mapping all

IP              Vsys    From     User                       IdleTimeout(s)  MaxTimeout(s)

-------------   ------  -------  -------------------------  --------------  -------------

192.168.0.19    vsys1   GP       test                       10692           10692

Total: 1 users

 

The following message will be seen in sslvpn-access.log

> tail follow yes webserver-log sslvpn-access.log

192.168.0.19 - - [Tue Sep 17 21:37:56 2013 PDT] "POST /ssl-vpn/login.esp HTTP/1.1" 200 2036

192.168.0.19 - - [Tue Sep 17 21:37:56 2013 PDT] "POST /ssl-vpn/hipreportcheck.esp HTTP/1.1" 200 552

192.168.0.19 - - [Tue Sep 17 21:37:56 2013 PDT] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 200 519

 

However, if the user connects through the second NIC with a physical cable, the following message are seen on the sslvpn-access.log

> tail follow yes webserver-log sslvpn-access.log

192.168.0.21 - - [Tue Sep 17 21:36:40 2013 PDT] "POST /ssl-vpn/logout.esp? HTTP/1.1" 200 603

192.168.0.21 - - [Tue Sep 17 21:36:40 2013 PDT] "POST /ssl-vpn/prelogin.esp HTTP/1.1" 200 642

192.168.0.21 - - [Tue Sep 17 21:36:40 2013 PDT] "POST /ssl-vpn/login.esp HTTP/1.1" 200 2036

192.168.0.21 - - [Tue Sep 17 21:36:41 2013 PDT] "POST /ssl-vpn/hipreportcheck.esp HTTP/1.1" 200 551

 

The above output shows a logout event, followed by a login event sent by 192.168.0.21. This is because the lower metric in the PC route table is now 192.168.0.21:

C:\Users\test>route print

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway          Interface         Metric

          0.0.0.0                 0.0.0.0             192.168.0.2     192.168.0.19     25

          0.0.0.0                 0.0.0.0             192.168.0.2     192.168.0.21     10

 

Immediately, the GlobalProtect mapping of current users on the firewall shows the user's IP as 192.168.0.21:

> show global-protect-gateway current-user

GlobalProtect Gateway: GP_ext (0 users)

Tunnel Name          : GP_ext-N

 

GlobalProtect Gateway: GP_gateway (1 users)

Tunnel Name          : GP_gateway

        Domain-User Name          : :test

        Computer                  : EVERYDAYLAPTOP

        Client                    :

        Private IP                : 0.0.0.0

        Public IP                 : 192.168.0.21

        ESP                       : none

        SSL                       : none

        Login Time                : Sep.17 21:38:41

        Logout/Expiration         : Oct.17 21:38:41

        TTL                       : 2591896

        Inactivity TTL            : 10696

 

The user-IP mapping for the user "test" also shows 192.168.0.21:

> show user ip-user-mapping all

IP            Vsys      From      User                  IdleTimeout(s)     MaxTimeout(s)

------------  --------  -------   --------------------  --------------      -------------

192.168.0.21  vsys1     GP        test                  10592                 10592

Total: 1 users

 

If the WiFi adapter card is now disabled or disconnected, the  sslvpn-access.log will show that the logout event is still being sent with IP 192.168.0.21 because of the route table and lower metric number. This also triggers the mapping to be updated, as well as the current GlobalProtect user. In this case, the values remain unchanged and the output will be the same:

> tail follow yes webserver-log sslvpn-access.log

192.168.0.21 - - [Tue Sep 17 21:38:37 2013 PDT] "POST /ssl-vpn/logout.esp? HTTP/1.1" 200 603

192.168.0.21 - - [Tue Sep 17 21:38:40 2013 PDT] "POST /ssl-vpn/prelogin.esp HTTP/1.1" 200 642

192.168.0.21 - - [Tue Sep 17 21:38:41 2013 PDT] "POST /ssl-vpn/login.esp HTTP/1.1" 200 2036

192.168.0.21 - - [Tue Sep 17 21:38:41 2013 PDT] "POST /ssl-vpn/hipreportcheck.esp HTTP/1.1" 200 551

 

C:\Users\test>route print

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination   Netmask     Gateway        Interface        Metric

         0.0.0.0      0.0.0.0     192.168.0.2    192.168.0.21     10

 

> show global-protect-gateway current-user

GlobalProtect Gateway: GP_ext (0 users)

Tunnel Name          : GP_ext-N

 

GlobalProtect Gateway: GP_gateway (1 users)

Tunnel Name          : GP_gateway

        Domain-User Name          : :test

        Computer                  : EVERYDAYLAPTOP

        Client                    :

        Private IP                : 0.0.0.0

        Public IP                 : 192.168.0.21

        ESP                       : none

        SSL                       : none

        Login Time                : Sep.17 21:58:41

        Logout/Expiration         : Oct.17 21:58:41

        TTL                       : 2591896

        Inactivity TTL            : 10696  

 

> show user ip-user-mapping all

     IP        Vsys    From    User                 IdleTimeout(s) MaxTimeout(s)   

------------   ------  ------  -------------------  -------------- -------------

192.168.0.21   vsys1   GP      test                 10392          10392

Total: 1 users

 



Additional Information

Also see the following docs on configuration of GlobalProtect:

 

owner: mbutt



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldhCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language