HIP check failures cause GlobalProtect tunnel to disconnect after 3 hours
Symptom
GlobalProtect users get disconnected after 3 hours though they are actively working from their workstations.
Environment
- Palo Alto Networks Firewall configured with the following: Security Policy, URL Filtering Profile
- GlobalProtect app
Cause
- GlobalProtect user mapping timeout is hard-coded to 3 hours.
- HIP checks are performed every hour and they are initiated by the GlobalProtect app.
- So when 3 consecutive HIP checks fail (after 3 hours), the gateway disconnects the tunnel.
Resolution
- You can whitelist the gateway URL by creating a custom URL category and adding the URL to it. This category should be set to either allow or alert action on the URL filtering profile.
-
Add following URL's to allow the traffic:
-
gateway-IP/ssl-vpn/hipreport.esp -
gateway-IP/ssl-vpn/hipreportcheck.esp
-
- This will ensure that HIP checks, which occur every hour, will reset the GlobalProtect user mapping to 3 hours once gateway receives it and firewall gets the updated HIP report as well (if any changes are present against the old HIP report).
Additional Information
- When users successfully login to GlobalProtect, their user mapping shows with Login Lifetime timeout value. It changes to 3 hours (which is hard-coded) after few seconds. We can view them under Monitor > User-ID logs as shown below:
- In many cases, an explicit security policy is configured for GlobalProtect gateway connection and a URL filtering profile is associated with this policy as shown below:
- GlobalProtect users start experiencing disconnects after 3 hours. As per URL filtering logs on the firewall, the gateway URL "<GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp" was being blocked as shown below:
- This was because the URL category "unknown" was set to block in the URL filtering profile and the gateway URL matches to this category. This can also be verified on PanGPS.log as shown below:
P 866-T12663 Jan 28 12:38:19:653061 Debug(5028): using https to send hip report check to gateway x.x.x.x
P 866-T12663 Jan 28 12:38:19:653067 Debug(5070): Network discover SN 92 remains same.
P 866-T12663 Jan 28 12:38:19:653153 Debug( 779): SSL connecting to x.x.x.x
P 866-T12663 Jan 28 12:38:19:746013 Debug(4407): SSL verify succeed
P 866-T12663 Jan 28 12:38:19:834616 Error(4698): HTTP 200 OK not received: HTTP/1.1 503 Service Unavailable <<<<<<
Content-Type: text/html; charset=UTF-8
Content-Length: 978
Connection: close
P3P: CP="CAO PSA OUR"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
<html>
<head>
<title>Web Page Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<meta name="viewport" content="initial-scale=1.0">
<style>
#content {
border:3px solid#aaa;
background-color:#fff;
margin:1.5em;
padding:1.5em;
font-family:Tahoma,Helvetica,Arial,sans-serif;
font-size:1em;
}
h1 {
font-size:1.3em;
font-weight:bold;
color:#196390;
}
b {
font-weight:normal;
color:#196390;
}
</style>
</head>
<body bgcolor="#e7e8e9">
<div id="content">
<h1>Web Page Blocked</h1>
<<<<<<<<
<p>Access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p>
<p><b>User:</b> x.x.x.x </p>
<p><b>URL:</b> x.x.x.x/ssl-vpn/hipreportcheck.esp </p>
<<<<<<<<<<
<p><b>Category:</b> unknown </p>
<<<<<<<
</div>
</body>
</html>
P 866-T12663 Jan 28 12:38:19:834710 Debug(1322): OpenSSL alert write:warning:close notify
P 866-T12663 Jan 28 12:38:19:834948 Info (5073): SendNReceive() failed.
P 866-T12663 Jan 28 12:38:19:834964 Debug(4875): Send hip report check failed <<<<<<<<
P 866-T12663 Jan 28 12:38:19:653067 Debug(5070): Network discover SN 92 remains same.
P 866-T12663 Jan 28 12:38:19:653153 Debug( 779): SSL connecting to x.x.x.x
P 866-T12663 Jan 28 12:38:19:746013 Debug(4407): SSL verify succeed
P 866-T12663 Jan 28 12:38:19:834616 Error(4698): HTTP 200 OK not received: HTTP/1.1 503 Service Unavailable <<<<<<
Content-Type: text/html; charset=UTF-8
Content-Length: 978
Connection: close
P3P: CP="CAO PSA OUR"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
<html>
<head>
<title>Web Page Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<meta name="viewport" content="initial-scale=1.0">
<style>
#content {
border:3px solid#aaa;
background-color:#fff;
margin:1.5em;
padding:1.5em;
font-family:Tahoma,Helvetica,Arial,sans-serif;
font-size:1em;
}
h1 {
font-size:1.3em;
font-weight:bold;
color:#196390;
}
b {
font-weight:normal;
color:#196390;
}
</style>
</head>
<body bgcolor="#e7e8e9">
<div id="content">
<h1>Web Page Blocked</h1>
<<<<<<<<
<p>Access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p>
<p><b>User:</b> x.x.x.x </p>
<p><b>URL:</b> x.x.x.x/ssl-vpn/hipreportcheck.esp </p>
<<<<<<<<<<
<p><b>Category:</b> unknown </p>
<<<<<<<
</div>
</body>
</html>
P 866-T12663 Jan 28 12:38:19:834710 Debug(1322): OpenSSL alert write:warning:close notify
P 866-T12663 Jan 28 12:38:19:834948 Info (5073): SendNReceive() failed.
P 866-T12663 Jan 28 12:38:19:834964 Debug(4875): Send hip report check failed <<<<<<<<