Palo Alto GlobalProtect VPN disconnects in Mac OS after random time, have to manually connect it again. Behaviour not persistent in Windows

I have deployed PA GlobalProtect to few users consisting of Windows and Mac OS. All the users can connect correctly with same security rules and can access internal resources as expected. The problem happens with Mac OS clients. After random amount of time (between 1 minute and 20 minutes), the GP client will disconnect from the Gateway. It will log the user out. The user then has to manually type in the username/password to connect again. Windows clients stay connected till the user manually disconnects or reaches inactivity timeout which is set to 4 hours.

We enabled third party extensions as well. I collected the troubleshooting logs from one of the Mac GP clients. Below is the GPA log:

P22011-T34819 Mar 25 20:32:32:98834 Debug(1258): ===> response sent to Mac = <response><type>status</type><state>Connected</state><error></error></response> P22011-T35083 Mar 25 20:32:35:346851 Debug( 797): Send command to Pan Service P22011-T35083 Mar 25 20:32:35:346874 Debug( 823): Command = <request><type>status</type></request> P22011-T35083 Mar 25 20:32:35:346940 Debug( 880): PanClient sent successful with 64 bytes P22011-T34819 Mar 25 20:32:35:349570 Debug(  93): Received data from Pan Service P22011-T34819 Mar 25 20:32:35:350062 Debug( 332): ### Download parameters ###: m_dwLatestDownlaod=1553569989, m_bDownloadStarted=0, bCheckTunnelOK=1, m_bOnDemandRead=0, bUsingCachedPortal=0, lastfaileddownload=0, m_nUpgradeMethod=2 P22011-T34819 Mar 25 20:32:35:350080 Debug( 169): username field is not empty. not override the username. P22011-T34819 Mar 25 20:32:35:350086 Debug( 190): CPanBaseReceiver::HandleStatus - found discover-ready tag. value = yes. P22011-T34819 Mar 25 20:32:35:350108 Debug( 269): message type from the service = status  <?xml version="1.0" encoding="UTF-8"?> <response>     <type>status</type>     <status>Connected</status>     <protocol>SSL</protocol>     <portal-config-version>4100</portal-config-version>     <error-must-show/>     <error/>     <uptime>1058</uptime>     <byte-received>23474224</byte-received>     <byte-sent>9658283</byte-sent>     <packet-received>67736</packet-received>     <packet-sent>51499</packet-sent>     <incorrect-packet-received>0</incorrect-packet-received>     <incorrect-packet-sent>0</incorrect-packet-sent>     <server-ip>xx.xx.xx.xx</server-ip>     <local-ip>yy.yy.yy.yy</local-ip>     <local-ipv6/>     <connect-mode>0</connect-mode>     <product-version>5.0.0-87</product-version>     <product-code/>     <portal-status>Connected</portal-status>     <user-name>user1</user-name>     <username-type>regular</username-type>     <state>Connected</state>     <check-version>no</check-version>     <portal>xx.xx.xx.xx</portal>     <discover-ready>yes</discover-ready>     <mdm-is-enabled>no</mdm-is-enabled>     <gateway-list name="gateway-list" type="external">         <entry>             <gateway>xx.xx.xx.xx</gateway>             <tunnel>yes</tunnel>             <description>Gateway</description>             <allow-tunnel>yes</allow-tunnel>             <passwd-expire-days>-1</passwd-expire-days>             <priority>1</priority>             <internal>no</internal>             <authenticated>yes</authenticated>         </entry>     </gateway-list> </response>  P22011-T34819 Mar 25 20:32:35:350192 Debug(1258): ===> response sent to Mac = <response><type>status</type><state>Connected</state><error></error></response> P22011-T34819 Mar 25 20:32:36:333783 Info ( 246): agent ui socket closed! P22011-T26371 Mar 25 20:32:36:346785 Info ( 211): InitConnection ... P22011-T26371 Mar 25 20:32:36:346798 Debug(  57): fd still open before connect P22011-T26371 Mar 25 20:32:36:346905 Error(  78): Failed to connect to server at port:4767 P22011-T26371 Mar 25 20:32:36:346911 Error( 215): Cannot connect to service, error: 61 P22011-T35083 Mar 25 20:32:38:446825 Info ( 211): InitConnection ... P22011-T35083 Mar 25 20:32:38:446849 Debug(  57): fd still open before connect P22011-T35083 Mar 25 20:32:38:447043 Debug( 330): decryptPwd - encrypted object is empty. P22011-T35083 Mar 25 20:32:38:447535 Debug( 330): decryptPwd - encrypted object is empty. P22011-T35083 Mar 25 20:32:38:447563 Debug( 424): GetSamlAttribute - samlsessionid or samlusername is null. P22011-T35083 Mar 25 20:32:38:447699 Debug( 378): CPanSocket::OnConnect - portal message sent. P22011-T35083 Mar 25 20:32:38:447705 Info ( 223): Connecting to Pan MS Service end P22011-T35083 Mar 25 20:32:38:447707 Debug( 765): CPanCommand::Send - not connected, and reintialized connection to service. P22011-T35083 Mar 25 20:32:38:746876 Debug( 797): Send command to Pan Service P22011-T35083 Mar 25 20:32:38:746888 Debug( 823): Command = <request><type>status</type></request> P22011-T35083 Mar 25 20:32:38:746929 Debug( 880): PanClient sent successful with 64 bytes P22011-T34819 Mar 25 20:32:38:751446 Debug(  93): Received data from Pan Service P22011-T34819 Mar 25 20:32:38:751690 Debug( 169): username field is not empty. not override the username. P22011-T34819 Mar 25 20:32:38:751696 Debug( 190): CPanBaseReceiver::HandleStatus - found discover-ready tag. value = no. P22011-T35083 Mar 25 20:32:38:751705 Debug( 797): Send command to Pan Service P22011-T35083 Mar 25 20:32:38:751721 Debug( 812): Command = <request><type>portal</type><portal>xx.xx.xx.xx</portal><pid>22011</pid><user>user1</user><passwd>*</passwd><path>/Users/user1/Library/Application Support/PaloAltoNetworks/GlobalProtect</path><checkupdate>no</checkupdate><allow-cached-portal>yes</allow-cached-portal><remember-me>no</remember-me><retrieve-cache-only>no</retrieve-cache-only><manual-select-gateway-ip></manual-select-gateway-ip><portal-certificate-verification>yes</portal-certificate-verification><win-user>user1</win-user><user-profile-type>0</user-profile-type><saved-user>user1</saved-user><saved-passwd></saved-passwd><portal-2fa>no</portal-2fa><gid>20</gid><domain></domain></request> P22011-T34819 Mar 25 20:32:38:751725 Debug( 269): message type from the service = status  <?xml version="1.0" encoding="UTF-8"?> <response>     <type>status</type>     <status>Disconnected</status>     <protocol/>     <portal-config-version>0</portal-config-version>     <error-must-show/>     <error/>     <product-version>5.0.0-87</product-version>     <product-code/>     <portal-status>Invalid portal</portal-status>     <user-name/>     <username-type>sso</username-type>     <state/>     <check-version>no</check-version>     <portal>xx.xx.xx.xx</portal>     <discover-ready>no</discover-ready>     <mdm-is-enabled>no</mdm-is-enabled>     <gateway-list name="gateway-list" type="external">         <no-gateway>true</no-gateway>     </gateway-list> </response> 

As seen, the disconnects happens when it is not able to reach the server. Gateway is always up, there was no change of network on client end or anything changed on the rules.

If needed, I can also attach GPS logs. We have tried every different combinations of configuration on PA. We even tried to use different versions of GlobalProtect. I do not think there is any problem with GP or PA. What can be done on Mac side to prevent user getting disconnected?

GP Version: 4.0.10/5.0.0/5.0.1 Mac OS: Mojave 10.14 

how to enable multicast between subnets through a Palo Alto firewall

I have two subnets that are connected through a Palo Alto 850 firewall.

I’ve been working with my networks guy and he says he “set up a static RP, enabled IGMP PIM on the interfaces and PIM permitted neighbor is set to any”.

Nevertheless, a trivial multicast server on one subnet fails to pass data to a trivial client on the other. The same trivial client works on the same subnet as the server. Client and Server are running CentOS 7; firewalld is disabled on both; server is running in a VMware VM. The working client (on the same subnet) is another VMware VM, but the client on the other subnet is a stand-alone workstation.

Trivial Client:

#! /usr/bin/python  from __future__ import print_function  import socket import struct import time  def Log(*args, **kw):     print(time.strftime("%H:%M:%S"), *args, **kw)  class Monitor(object):      def __init__(self, name="Client", args=(), kwargs={}):         self.args = args         self.kwargs = kwargs      def start(self):         self._run(*(self.args), **(self.kwargs))      def _run(self, *args, **kw):         group = kw["mgroup"]         port  = kw["mport"]          Log("mcast group", group, "port", port)         sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)         sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)         sock.bind((group, port))          sock.settimeout(5)          mreq = struct.pack("4sl", socket.inet_aton(group), socket.INADDR_ANY)         sock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)          count = 0         while True:             try:                 packet = sock.recv(8192)                 count += 1             except socket.timeout:                 Log("mcast timeout")             finally:                 if count > 0 and count % 10 == 0:                     Log("mcast received", count, "packets")  def main(kw):     client = Monitor(kwargs=kw)     client.start()  if __name__ == "__main__":     kw = { "mgroup" : "239.1.2.49", "mport" : 20000,            }     main(kw) 

Trivial server:

#! /usr/bin/python  from __future__ import print_function  import socket import time  def_mgroup = "239.1.2.49" def_mport  = 20000 def_rate   = 2  def usage():     import sys     print("Usage:", sys.argv[0],           "[multicast group address [multicast port [rate]]]")     print()     print("    multicast group address - default", def_mgroup)     print("    multicast port          - default", def_mport)     print("    rate                    - default", def_rate)  def main(**kw):      mgroup = kw.get("mgroup", def_mgroup)     mport  = kw.get("mport",  def_mport)     rate   = kw.get("rate",   def_rate)      sleepdur = 1.0 / rate               # divide by zero if you ask for it      sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)     sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 10)      npackets = 0     while True:         sock.sendto("robot", (mgroup, mport))         npackets += 1         if npackets % 10 == 0: print(time.strftime("%H:%M:%S"), "sent", npackets)         time.sleep(sleepdur)  if __name__ == "__main__":     args = {}      import sys     try:         if len(sys.argv) > 1:             args["mgroup"] = sys.argv[1]          if len(sys.argv) > 2:             args["mport"] = int(sys.argv[2])          if len(sys.argv) > 3:             args["rate"] = int(sys.argv[3])          main(**args)      except Exception as e:         print(e)         usage() 

Neither of us really know what we are doing. Can someone shed some light on this?

Palo Alto suitable for children

I will attend a conference in Palo Alto and am considering to bring my family (spouse, 11y old kid).

As I will attend the conference my family would have to spend the days on their own. My question is if Palo Alto is suitable for them. As I can see from the map there is likely no beach to go swimming, the number of sights in Palo Alto (those without nerd factor) seems limited as well.

Their English skills are moderate only.