julezatmortonbu
Enthusiast
Enthusiast

vCenter sends a TCP FIN after 30 min causing our Palo Alto Clientless VPN to terminate the console

Using clientless VPN on a Palo Alto firewall we were trying to get a consultant access to an isolated VM on our infrastructure easily. So I used the VMware HTML5 console to pass through as a web app to the clientless VPN. It works fine, for 30 minutes. Then after that the console session times out. The console session itself if we access it internally does not time out. And the Palo Alto VPN session does not timeout. I've also checked all the session timeout settings in the webclient.properties file in vCenter and didn't find anything that would line up.

So checking the Palo Alto, I can watch the TTL tick down and refresh on use for the clientless user.
It isn't until approx. 30 minutes has gone by that we see a state change on the PA from ACTIVE to INIT. So the actual clientless session didn't drop, just the session to the app. The reason for it is that vCenter is sending a TCP FIN packet. But I can't for the life of me figure out why or where that would be set.

Is anyone familiar with vCenter sending a FIN when using the HTML5 console?

Labels (5)
0 Kudos
0 Replies