Resilient VPN Connection

Software support: GlobalProtect agent 4.0.3 and later releases and PAN-OS with content release 731 or a later release
OS support: Android, iOS, Windows, Mac
To improve the resiliency of the GlobalProtect connection, GlobalProtect agents can now automatically try to resurrect the tunnel when the connection is lost due to network instability or endpoint state changes. Examples of scenarios where the endpoint can disconnect from the network include locking and unlocking an endpoint, putting an endpoint to sleep and waking it back up, switching between wireless networks, and switching from a wired network to a wireless network. By enabling GlobalProtect to resurrect the tunnel in these common scenarios, you can reduce the effort required by the user to maintain the connection thus ensuring consistent enforcement of security policies.
resilient-vpn-logic.png
With resilient VPN, the GlobalProtect agent can resurrect the tunnel to previously-connected manual or auto-discovery gateways. If the GlobalProtect agent successfully resurrects the tunnel, the user is not required to authenticate again. If the GlobalProtect agent cannot resurrect the tunnel, the GlobalProtect agent disconnects the tunnel and reverts to the behavior of the connect method you define in your GlobalProtect portal agent configuration:
  • On-demand—If the GlobalProtect agent cannot resurrect the tunnel, the agent does not try to connect again until the user initiates the connection. The GlobalProtect portal and gateway will then require the user to authenticate.
  • User-logon (Always On) or Pre-logon (Always On)—If the GlobalProtect agent cannot resurrect the tunnel, the agent starts the network discovery process. When the network is reachable, the agent connects to the best available gateway. The GlobalProtect portal and gateway will then require the user to authenticate.
To customize resilient VPN for your end users, you can configure two new options in your GlobalProtect portal agent configuration:
  • Automatic Restoration of VPN Connection Timeout —Enables or disables the resilient VPN behavior. A value of 0 disables the resilient VPN feature meaning the GlobalProtect agent does not attempt to resurrect the tunnel. When you specify a value other than 0, the GlobalProtect agent attempts to resurrect the tunnel with the last-connected manual or automatic gateway within the specified timeout period. For example, with a timeout value of 30 minutes, the agent does not attempt to resurrect the tunnel if the tunnel is disconnected for 45 minutes. However, if the tunnel is disconnected for 15 minutes, the agent attempts to resurrect the tunnel because the number of minutes has not exceeded the timeout value.
    GlobalProtect will not resurrect the tunnel if any of the following conditions occur:
    • GlobalProtect did not previously establish a tunnel to a gateway (for example when a user first logs in and has not yet connected to a gateway)
    • The user manually disconnected
    • The timeout to disconnect on idle expired
    • The timeout to switch the tunnel from a pre-logon user to a logged-in user expired
    • The endpoint rebooted
    • The user logged off of the endpoint
    • The tunnel is down for a period of time which exceeds the timeout value
    With always-on VPN, if a user switches from an external network to an internal network before the timeout value expires, GlobalProtect does not perform network discovery. As a result, GlobalProtect restores the connection to the last known external gateway. To trigger an immediate internal host detection, the user must select Rediscover Network from the GlobalProtect console.
  • Wait Time Between VPN Connection Restore Attempts—Specifies the time between resilient VPN connection attempts to restore the connection to the gateway. By default, the wait time between the resilient VPN connection attempts is five seconds. If necessary, you can specify a longer or shorter wait time depending on your network conditions.
Configure GlobalProtect to automatically reconnect:
  1. Configure the GlobalProtect portal .
    Select NetworkGlobalProtectPortals and select the portal configuration for which you want to add a client configuration or Add a new one.
  2. Add or modify an agent configuration.
    1. From the Agent tab, select the agent configuration you want to modify or Add a new one.
    2. Select the App tab.
      resilient-vpn-settings.png
  3. Define the action GlobalProtect takes when the tunnel is disconnected.
    In the App Configurations area, set the Automatic Restoration of VPN Connection Timeout. The range is 0-180 minutes; the default is 30.
    To disable this feature so that GlobalProtect does not attempt to resurrect the tunnel after the tunnel is disconnected, set the timeout value to 0.
  4. (Optional) Configure the time between attempts to restore the connection to the gateway.
    In the App Configurations area, configure the Wait Time Between VPN Connection Restore Attempts in seconds. The range is 1-60 seconds; the default is 5.
  5. Save your configuration changes.
    1. Click OK twice.
    2. Commit your changes.

Related Documentation