Sending HIP check report to firewall fails and Global Protect disconnects due to inactivity
43735
Created On 04/12/19 03:02 AM - Last Modified 12/19/23 23:00 PM
Symptom
- GP users getting disconnected as they are not sending HIP report to the firewall and the inactivity timer is kicking in.
- The user gets logged out due to Reason: user session expired.
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- URL-Filtering
- Global Protect
Cause
- Inactivity logout timer is set for users when the gateway does not receive a HIP check from the GP app.
- This configured under GUI:Network > Global-protect > Gateway > Agent > Timeout settings.
- Client HIP report may be blocked if URL filtering is applied to outside to outside allow rule.
- This can be seen in In URL filtering logs, where some URLs for hipreportcheck are being blocked as unknown and the URL being <GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp.
- GP client logs display HIP report check failed.
(T1884) 10/04/19 10:04:39:708 Debug(1253): SSL3 alert write:warning:close notify
(T1884) 10/04/19 10:04:39:709 Info (4309): SendNReceive() failed.
(T1884) 10/04/19 10:04:39:709 Debug(4136): Send hip report check failed <<<<
Resolution
Solution 1:
- Create a new custom URL category and add the GlobalProtect-gateway IP address or the complete URL "<GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp" to it.
- In the URL filtering profile that is referenced in the security rule, change the action for this new category to alert.
- Add the Gateway IP address or the URL to the allowed-list in URL filtering profile, instead of the above steps.
- This way the URL should be allowed to go through and the HIP report will be submitted.
- Once the HIP report is submitted, the inactivity timer will not kick in.