HIP check failures cause GlobalProtect tunnel to disconnect after 3 hours

HIP check failures cause GlobalProtect tunnel to disconnect after 3 hours

Created On 09/01/20 19:57 PM - Last Modified 04/23/24 00:11 AM


GlobalProtect users get disconnected after 3 hours though they are actively working from their workstations.


  • Palo Alto Networks Firewall configured with the following: Security Policy, URL Filtering Profile
  • GlobalProtect app


  • GlobalProtect user mapping timeout is hard-coded to 3 hours.
  • HIP checks are performed every hour and they are initiated by the GlobalProtect app.
  • So when 3 consecutive HIP checks fail (after 3 hours), the gateway disconnects the tunnel.


  1. You can whitelist the gateway URL by creating a custom URL category and adding the URL to it. This category should be set to either allow or alert action on the URL filtering profile.
  2. Add following URL's to allow the traffic:
    • gateway-IP/ssl-vpn/hipreport.esp
    • gateway-IP/ssl-vpn/hipreportcheck.esp
  3. This will ensure that HIP checks, which occur every hour, will reset the GlobalProtect user mapping to 3 hours once gateway receives it and firewall gets the updated HIP report as well (if any changes are present against the old HIP report).
Snapshot of Custom URL category dialog box
Snapshot of the URL Filtering Profile dialog box

Additional Information

  • When users successfully login to GlobalProtect, their user mapping shows with Login Lifetime timeout value. It changes to 3 hours (which is hard-coded) after few seconds. We can view them under Monitor > User-ID logs as shown below:
Snapshot of User-ID log
  • In many cases, an explicit security policy is configured for GlobalProtect gateway connection and a URL filtering profile is associated with this policy as shown below:
Snapshots of the Security Policy GUI
Snapshot of URL Filtering GUI
  • GlobalProtect users start experiencing disconnects after 3 hours. As per URL filtering logs on the firewall, the gateway URL "<GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp" was being blocked as shown below:
User-added image
Snapshot of Detailed Log View Dialog Box
  • This was because the URL category "unknown" was set to block in the URL filtering profile and the gateway URL matches to this category. This can also be verified on PanGPS.log as shown below:
P 866-T12663 Jan 28 12:38:19:653061 Debug(5028): using https to send hip report check to gateway x.x.x.x
P 866-T12663 Jan 28 12:38:19:653067 Debug(5070): Network discover SN 92 remains same.
P 866-T12663 Jan 28 12:38:19:653153 Debug( 779): SSL connecting to x.x.x.x
P 866-T12663 Jan 28 12:38:19:746013 Debug(4407): SSL verify succeed
P 866-T12663 Jan 28 12:38:19:834616 Error(4698): HTTP 200 OK not received: HTTP/1.1 503 Service Unavailable    <<<<<<
Content-Type: text/html; charset=UTF-8
Content-Length: 978
Connection: close
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

<title>Web Page Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="viewport" content="initial-scale=1.0">
  #content {
    border:3px solid#aaa;
  h1 {
  b {
<body bgcolor="#e7e8e9">
<div id="content">
<h1>Web Page Blocked</h1>   <<<<<<<<
<p>Access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p>
<p><b>User:</b> x.x.x.x </p>
<p><b>URL:</b> x.x.x.x/ssl-vpn/hipreportcheck.esp </p>      <<<<<<<<<<
<p><b>Category:</b> unknown </p>   <<<<<<<
P 866-T12663 Jan 28 12:38:19:834710 Debug(1322): OpenSSL alert write:warning:close notify
P 866-T12663 Jan 28 12:38:19:834948 Info (5073): SendNReceive() failed.
P 866-T12663 Jan 28 12:38:19:834964 Debug(4875): Send hip report check failed     <<<<<<<<

  • Print
  • Copy Link


Choose Language