Sending HIP check reports to firewall fail, and Global Protect disconnects due to inactivity

Sending HIP check reports to firewall fail, and Global Protect disconnects due to inactivity

21414
Created On 04/12/19 03:02 AM - Last Modified 04/27/20 18:21 PM


Symptom
  • GP users getting disconnected as they are not sending HIP report to the firewall and the inactivity timer is kicking in.
  • The user gets logged out due to Reason: user session expired.
User-added image


 


Environment
  • Firewall
  • URL-Filtering
  • Global Protect


Cause
Inactivity logout timer is set for users when the gateway does not receive a HIP check from the GP app.
This  configured under Network-> Global-protect -> Gateway -> Agent -> Timeout settings.
User-added image

Client HIP report may be blocked if URL filtering is applied to outside to outside allow rule. 
This can be seen in In URL filtering logs, where some URLs for hipreportcheck are being blocked as unknown and the URL being <GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp.

User-added image
User-added image

GP client logs display HIP report check failed.
 
(T1884) 10/04/19 10:04:39:708 Debug(1253): SSL3 alert write:warning:close notify
(T1884) 10/04/19 10:04:39:709 Info (4309): SendNReceive() failed.
(T1884) 10/04/19 10:04:39:709 Debug(4136): Send hip report check failed <<<<


 


Resolution
Solution 1:
  • Create a new custom URL category and add the GlobalProtect-gateway IP address or the complete URL "<GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp" to it.
  • In the URL filtering profile that is referenced in the security rule, change the action for this new category to alert.
Solution 2:
  • Add the Gateway IP address or the URL to the allowed-list in URL filtering profile, instead of the above steps.
This way the URL should be allowed to go through and the HIP report will be submitted.
Once the HIP report is submitted, the inactivity timer will not kick in.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLXiCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments