Reset Search
 

 

Article

KB43612 - Details on why an IP address can be reused quickly by another user for a VPN connection

« Go Back

Information

 
Last Modified Date1/21/2020 12:21 AM
Synopsis
This article provides details on why an IP address can be reused quickly by another user for a VPN connection
Problem or Goal
Some users are being assigned the same IP address for their VPN connection that another user was recently using, this can lead to network devices, such as proxies, to block the connection as they see two or more different users connecting from the same IP address in a short space of time.
Cause
This issue can occur when one of the following conditions are met:
  1. Limited number of IP address available or exhaustion

All IP addresses are being currently used so no IP can be assigned to new tunnels until a connection terminated.   When an IP address become available, then the IP address will be assigned by user.  

  1. All IP addresses are set as preferred IP addresses

This occurs when the total of possible users is greater than IP addresses available.  Over time, the user records will be populated with preferred IP address entries.  If the system reaches the point where all the available IP addresses are set as preferred IP addresses and the preferred IP address is in use, then an unused IP address will be assigned (which will be another user's preferred IP address).
Solution

IP Assignment behavior with IP Pool

Pulse Connect Secure (PCS) device will use the following workflow when assigning an IP address to a VPN tunnel:
  1. Assign the VPN tunnel preferred IP address or previously assigned IP address
  2. If the IP address is not available, assign an IP address that is not preferred by any VPN tunnel.
  3. If all IP addresses are preferred, assign any unused IP address.

The preferred IP address behavior will depend if PCS device is configured for IP pool.
  • If the PCS device is configured via IP pool, the preferred IP address is stored for 24 hours
If the end user logs in and assigned the preferred IP, the following timers will be reset.

Solution:

If the preferred IP address is not assigned to the same end user, the following steps are recommended: 
  1. Increase the available IP address range will help to reduce the possibility of the same IP address being preferred by multiple users.
  2. Stale or unused user records can be cleared to remove duplicates.  For more information, refer to Utilize External User Record Management to keep user records below the amount of available IP addresses. 
  3. If administrators want to avoid the possibility of users sharing an IP address, refer to KB12536 - How to set up the Pulse Connect Secure to assign a VPN Tunneling IP address based on LDAP attribute
Related Links
Attachment 1 
Created ByMatthew Spiers

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255