Why does GlobalProtect logout users connected to the VPN from an RDP station at the time of the RDP connection loss?

Why does GlobalProtect logout users connected to the VPN from an RDP station at the time of the RDP connection loss?

17542
Created On 01/25/23 13:26 PM - Last Modified 01/25/23 14:25 PM


Environment


  • GlobalProtect client running on a Windows Remote Desktop machine.
  • Users connecting to the RDP environment to establish GlobalProtect connections from there.

 

Answer


  • There is no grace period provided to users when they reconnect to the lost RDP session by default - they get logged out from the gateway at the time of the RDP connection loss.
  • Windows does not influence this behavior, the configuration needs to be adjusted on the portal level to provide more time for the users to reconnect without losing the GP connection.
  • The configuration item that controls this behavior is called "User Switch Tunnel Rename Timeout." Please see the attached admin guide for more details in the "Additional Information" section.
  • The two scenarios below describe the events happening after user disconnects from the RDP session while the GlobalProtect VPN session remained connected. The first scenario describes the situation when user will be able to connect back without losing the GP VPN connection while the second scenario describes the exact opposite.
 
  1. The User Switch Tunnel Rename Timeout (sec) is configured for 90 seconds when user will be able to connect back.

     
    // GP detects, that user got logged out from the RDP station (session = user login in Windows terms)
    (P3096-T3100)Debug( 348): 12/09/22 08:24:02:000 Received session change, event type 4, session 2
    (P3096-T3100)Info (1571): 12/09/22 08:24:02:374 lock off session 2
    (P3096-T4272)Info ( 531): 12/09/22 08:24:02:562 msgtype = switch-off
     
     
    // GP sets up the grace period for user to connect back to RDP without the need of connecting to GP again
    (P3096-T4272)Debug(3785): 12/09/22 08:24:02:562 Now is 1670570642, last user login time is 1670570642
    (P3096-T4272)Debug(3789): 12/09/22 08:24:02:562 tDelta is 0, grace period is 90
    (P3096-T4272)Debug(10827): 12/09/22 08:24:02:562 Start grace period monitor thread
     
     
    // GP creates and starts a thread responsible for the retention of the RDP connection
    (P3096-T4272)Debug( 25): 12/09/22 08:24:02:562 create thread 0x83c with thread ID 8432
    (P3096-T8432)Info (10841): 12/09/22 08:24:02:562 Start CPanMSService::RdpGracePeriodMonitorThread
    (P3096-T8432)Debug(10844): 12/09/22 08:24:02:562 RdpGracePeriodMonitorThread starts
     
     
    // user connects back to RDP
    (P3096-T3100)Debug( 348): 12/09/22 08:25:17:335 Received session change, event type 3, session 2
     
     
    // GP checks whether user actually connected within the grace period
    (P3096-T4272)Debug(3785): 12/09/22 08:25:18:515 Now is 1670570718, last user login time is 1670570642
    (P3096-T4272)Debug(3789): 12/09/22 08:25:18:515 tDelta is 76, grace period is 90 // it took 76 seconds for the user to log back in to RDP, which is within the grace period
    (P3096-T4272)Debug(2961): 12/09/22 08:25:18:515 Send grace period count down message to PanGPA
    (P3096-T4272)Debug(1969): 12/09/22 08:25:18:515 Send response to client for request switch-on-rename-grace-period.
 
 
2. The User Switch Tunnel Rename Timeout (sec) is configured for 60 seconds and the user won’t be able to connect back in time, so they will get logged out from the gateway
 
// GP goes through the same routine as above with these differences
(P3096-T4272)Debug(3789): 12/08/22 22:00:03:127 tDelta is 0, grace period is 60
(P3096-T9060)Debug(10872): 12/08/22 22:01:03:139 Grace period expires
(P3096-T9060)Debug(10874): 12/08/22 22:01:03:139 Disconnect tunnel because grace period expires.
(P3096-T9060)Debug(7237): 12/08/22 22:01:03:139 --Set state to Disconnecting...
(P3096-T9060)Debug( 853): 12/08/22 22:01:03:139 vpn disconnect
(P3096-T9060)Debug(1574): 12/08/22 22:01:03:249 Disconnect virtual interface
(P3096-T9060)Debug( 692): 12/08/22 22:01:03:687 DisconnectVPN called
(P3096-T9060)Debug(3452): 12/08/22 22:01:03:687 set driver connected as false
(P3096-T9060)Info (2303): 12/08/22 22:01:03:687 logout: ----user detail info-----
(P3096-T9060)Debug(2385): 12/08/22 22:01:03:718 Logged out gateway gateway.domain.com
 
 
If you run packet capture on the RDP station at the time of testing and don't connect within the grace period, Wireshark will show a message box about disconnected GP adapter. This corresponds to the "Disconnect virtual interface" log.


 

Additional Information


https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-app-tab
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGW6CAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language