Re: PCS Client reconnection

bally · ‎06-25-2019

Hi All,

Hoping this will be an easy one

We are finding that Pulse Secure client will automatically attempt to reconnect after Windows 10 has been put into sleep.

For example, user is working from home > sleeps Windows 10 > comes back into the office and the Pulse client will automatically try to reconnect.

We have 'whitelisted' all the office IP addreses but this doesn't seem to make a difference. Is there anything missing from the configuration as below? Or anyway I can stop this behaviour as this is causing problems when in the office.

schema version {
version: "1"
}

machine settings {
version: "27"
guid: "xx"
connection-source: "preconfig"
server-id: "xx"
connection-set-owner: "xx"
connection-set-name: "xx"
connection-set-last-modified: "2019-06-24 11:02:11 UTC"
connection-set-download-host: "xx"
allow-save: "false"
user-connection: "true"
lock-down: "false"
splashscreen-display: "false"
dynamic-trust: "false"
dynamic-connection: "true"
eap-fragment-size: "1400"
captive-portal-detection: "true"
enable-browser: "true"
FIPSClient: "false"
clear-smart-card-pin-cache: "false"
block-traffic-on-vpn-disconnect: "false"
wireless-suppression: "false"
lockdown-exceptions-configured: "false"
}

ive "xx" {
friendly-name: "xx"
version: "23"
guid: "xx"
client-certificate-selection-rule: "AUTO"
server-id: "xx"
connection-source: "preconfig"
factory-default: "true"
uri: "xx"
connection-policy-override: "true"
connection-lock-down: "false"
use-for-connect: "true"
use-for-secure-meetings: "false"
uri-list-use-last-connected: "false"
uri-list-randomize: "false"
sso-cached-credential: "false"
connection-identity: "user"
connection-policy: "manual AND ( NOT ip(physical, 10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.1.0-192.168.4.255 192.168.9.0-192.168.15.255 192.168.22.0-192.168.22.255 192.168.33.0-192.168.33.255 192.168.88.0-192.168.88.255 192.168.200.0-192.168.203.255 192.168.205.0-192.168.206.255 192.168.254.0-192.168.254.255))"
client-certificate-location-system: "false"
reconnect-at-session-timeout: "false"
}

zanyterp · ‎06-25-2019

unfortunately, that is expected. there is no way to prevent Pulse from attempting to recover the session.
what issues are you seeing in the office?
are you not seeing the connection disconnect successfully after the location awareness rules run?

bally · ‎06-25-2019

Hi Zanyterp,

Thanks for coming back to me.

That is correct, it appears that the Location Awarness rules are ignorned and the client will attempt to reconnnect despite the huge list of IP addresses that are configured in the configuration file.

But sounds like that is something I have to review as does the config look correct to you?

In terms of issues, it appears that when in the office, even if you get an IP address of 10.x.x.x the VPN will be active and sends the internet traffic out the internet then backround.

zanyterp · ‎06-25-2019

you are welcome, bally.
the reconnection should happen; however, it is concerning to me that the connection remains up. the location awareness rule should be triggered and cause a disconnect.
if you look at the pulse log file, you should see a message about location awareness rules being triggered and a kConnect directive of disconnect.
i would recommend opening a case with our support team for further investigation if you are not seeing that.

[email protected] · ‎06-26-2019

Hmm.. Interesting! Thank you for bring this to our attention.

From the preconfig data, it seems that the connect automatic policy has been disabled (manual); followed by having location awareness policies configured to take care of the connection (hence, manual + physical interfaces IP addresses).

::::connection-policy: "manual AND ( NOT ip(physical xxx ::::

Technically, if the Location Manager declares that the connection policy is false (as pointed out by @zanyterp) then the connection manager should disconnect the active connection/cancel the ongoing attempt...but... But I am not sure if it will happen in this case i.e. manual + location awareness setup, I'm sorry. However, I have seen this working with connect automatically on + LA rules enabled.

If possible, can you please enable the connect automatically along with LA and check the behaviour.

Pulse Connect Secure Certified Expert

zanyterp · ‎06-26-2019

that is a good catch by [email protected]; i did not think about that (apologies).
he is correct that the location awareness disconnect will not activate when using manual connections

shbeuving · ‎07-12-2019

Hello,

I've got the same question / issue as you mentioned. It seems that when a user 'overrides' the connection. If a client then comes back from sleep I still see the 'Manual Override' from the user.

When I enable 'Connect automatically' based on L.A. and the machine passed it's Idle Timeout, users will have log in again to the Realm. I've also unchecked the option of "Reconnect at Session Timeout or Deletion"

ps; In the specific Realm i've created I do not allow users to save log on information. If you want to check if a sessume resumes or start as a new one, uncheck this feature.

Maybe thiss will work for you!?

zanyterp · ‎07-12-2019

yes, that is correct @shbeuving, that a connection stays overridden until reboot or something automatically triggers the connection (or disconnect, depending on what the rules are)