RDP connection to a remote host connected to GlobalProtect kills the tunnel session

RDP connection to a remote host connected to GlobalProtect kills the tunnel session

6856
Created On 04/24/24 20:37 PM - Last Modified 04/11/25 18:30 PM


Symptom


  • RDP is established to a host on which GlobalProtect tunnel is connected.
  • The moment the RDP session is established, GlobalProtect prompts the new user to reauthenticate. 
  • If reauthentication does not happen, GlobalProtect tunnel is disconnected on the host.

Environment


  • GlobalProtect (GP) App
  • Supported GP versions
  • RDP to a host with GP App connected

Cause


  • The new user has failed to authenticate on the RDP host's GP Tunnel.
  • When a user RDPs to the host where GP tunnel is already established, the GP App considers the user as a new user and prompts for reauthentication.
  • If the new user does not authenticate to GP within the specified time configured under User Switch Tunnel Rename Timeout, the tunnel will be dropped.

Resolution


This is expected behavior.

  1. Set the "User Switch Tunnel Rename Timeout" value above 0 in the "Global Protect Portal" settings based on the required security level.
     
  2. To prevent the new user from accessing potentially confidential resources of the original user, set appropriate timeout value to ensure the tunnel disconnects as soon as possible.
  3. Once re-authentication happens, then the gateway renames the tunnel to the new user.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Of7CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language