Sending HIP check reports to firewall fail, and Global Protect disconnects due to inactivity
Created On 04/12/19 03:02 AM - Last Modified 04/27/20 18:21 PM
- GP users getting disconnected as they are not sending HIP report to the firewall and the inactivity timer is kicking in.
- The user gets logged out due to Reason: user session expired.
- Global Protect
Inactivity logout timer is set for users when the gateway does not receive a HIP check from the GP app.
This configured under Network-> Global-protect -> Gateway -> Agent -> Timeout settings.
Client HIP report may be blocked if URL filtering is applied to outside to outside allow rule.
This can be seen in In URL filtering logs, where some URLs for hipreportcheck are being blocked as unknown and the URL being <GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp.
GP client logs display HIP report check failed.
(T1884) 10/04/19 10:04:39:708 Debug(1253): SSL3 alert write:warning:close notify (T1884) 10/04/19 10:04:39:709 Info (4309): SendNReceive() failed. (T1884) 10/04/19 10:04:39:709 Debug(4136): Send hip report check failed <<<<
- Create a new custom URL category and add the GlobalProtect-gateway IP address or the complete URL "<GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp" to it.
- In the URL filtering profile that is referenced in the security rule, change the action for this new category to alert.
- Add the Gateway IP address or the URL to the allowed-list in URL filtering profile, instead of the above steps.
Once the HIP report is submitted, the inactivity timer will not kick in.