GlobalProtect users losing network access some minutes after being connected

GlobalProtect users losing network access some minutes after being connected

6182
Created On 01/02/25 16:36 PM - Last Modified 09/22/25 17:35 PM


Symptom


  • GlobalProtect (GP) users experience intermittent connectivity issues for 2-3 minutes after tunnel establishment.
  • New connections cannot be established, even though the GlobalProtect connection status remains 'Connected'. 
  • Existing HTTPS, HTTP, and RDP connections may continue to work.
  • For example, once the user is connected to GlobalProtect, ip-user mapping with GP as the source is created in the firewall:

show ip-user-mapping

  • When the same user logs to an application with a different account on the same machine (like shared network files through SMB), GP ip-user mapping gets overwritten with new username received via Agentless User-ID on the firewall:

show user-ip-mapping overwritten

  • Even when GP is still connected, users can experience loss of access to network resources due to security policy and User-ID mismatch. For instance, user1 is not included in the same security policy than user12:

Security policy

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS versions
  • GlobalProtect App

Cause


Inconsistent ip-user mappings due to the ip-user mappings being received from multiple sources (GlobalProtect and User-ID Agent/Agentless User-ID).
 

Resolution


    Add GP IP pools to exclude networks on User Identification settings.

    GUI: Device > User Identification > User Mapping > Include/Exclude Networks

    Additional Information


    Similar article : Issue with ip-user-mapping in mixed environments of GlobalProtect and user-ID agents.

     
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000PR0aCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language