Palo Alto Networks Knowledgebase: Idle Timer does not Refresh for Captive Portal Users when there are Active Sessions

Idle Timer does not Refresh for Captive Portal Users when there are Active Sessions

4076
Created On 02/07/19 23:40 PM - Last Updated 02/07/19 23:41 PM
User-ID
Resolution

Issue

Captive Portal timeout settings were adjusted so that the firewall is not populated for prolonged periods of time with stale mappings. Both the Idle Timer & the Expiration timers were set to 60 seconds (default Idle = 15 minutes / default Expiration = 60 minutes) with the assumption that if sessions are active, the idle timer would not decrement keeping valid sessions alive.

Regardless of what measures are taken to assure active connections/keep-alive, sessions last only 60 seconds resulting in active sessions/applications to break, requiring manual refreshing.

Resolution

Even if those sessions are active, the idle timeout as well as the expiration (i.e., Max. Timeout (s)) are both configured for 60 seconds.

> show user ip-user-mapping

IP Ident. By User Idle Timeout (s) Max. Timeout (s)

--------------- --------- -------------------------------- ---------------- ----------------

10.30.14.82 CP bryan 60 60

Total: 1 users

The Max Timeout will override the idle timeout when both are triggered simultaneously. The max session duration will be terminated at exactly 1 minute regardless of attempting to extend via traffic generation and/or keep-alives.

A solution would be to change the Expiration to a value greater than the idle timeout, keeping in mind that once this value is reached, session will terminate regardless of whether there are valid sessions/traffic or not.

In summary, Max. Timeout is the max timeout value that keeps track of how long the session has been active. Once expired, the session will be terminated regardless of whether sessions are active or not, forcing to re-authenticate manually or via session cookie.

Screenshot of settings with default values below:

user-id2.JPG

owner: bryan



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clw5CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language