GP Client and DUO 2F Very strange behavior

zenithnetworks — Wed, 14 Dec 2022 00:41:37 GMT

Thoughts and ideas are welcome. Note, I have yet to tune the GP APP on the portal.

Okay... I would like to keep this brief, but I have conducted numerous tests and lots of log files. This is a new implementation and I will tell you what is "broken" and what is NOT broken. Customer is using GP client ver 6.1 and 5.2.6-87.

1. GP client successfully auth to 1f ldap, sussceefully auth to 2f DUO proxy server, using DUO app on iphone, message arrive to accept or reject, I accept and all is perfect.

2. Same scenario as above 1, but now DUO is set to actually ring / call the user phone... phone rings.. # to accept and then GP client immediately closes indicating cannot find gateway. Remember, using DUO app and accept all works well.

3. To eliminate the GP components, I did the following... I setup a firewall admin account to when the test admin account logs to the firewall, auth against the DUO Proxy and in this test on the firewall I am using the same radius server and auth profile as above... I test by https to the firewall mgt interface... I enter my creds... I am not doing 1stF, just auth against DUO Proxy via radius... after I enter my firewall admin creds...DUO call me, I accept the call and hit # and I can login to the firewall. This is similar to 2 above, but I am not using GP and DUO works and I can login.

This is a little crazy. I have lots of interesting logs and from the firewall authd.log... everything is great.. no failures. The GUI GP logs too look good, but I need to retest.

Something interesting from the GP Client logs.....

PanGPA log...

(P1640-T6924)Info (3368): 12/13/22 14:25:08:190 PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RECEIVING_RESPONSE, this=000001B26A0E86B0)
(P1640-T6924)Info (3368): 12/13/22 14:25:08:190 PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RESPONSE_RECEIVED, this=000001B26A0E86B0)
(P1640-T6924)Info (3368): 12/13/22 14:25:08:190 PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE, this=000001B26A0E86B0)

(P1640-T6924)Debug(2366): 12/13/22 14:25:08:190 got header ready event, exit wait loop now

(P1640-T6924)Info (2432): 12/13/22 14:25:08:190 http request status code = 502

(P1640-T6924)Error(2575): 12/13/22 14:25:08:190 Unexpected http status 502

(P1640-T6924)Error(4585): 12/13/22 14:25:08:190 winhttpObj, error! ipaddress vpn.company.com
bRetryWithoutCert is 0, bClientCertNeeded=0

(P1640-T6924)Info (3368): 12/13/22 14:25:08:190

PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING, this=000001B26A0E86B0)
(P1640-T6924)Debug(3459): 12/13/22 14:25:08:190 handle 67f38be0 closed
(P1640-T6924)Debug(3463): 12/13/22 14:25:08:190 REUSE, request closed
(P1640-T6924)Info ( 860): 12/13/22 14:25:08:190 wait for closing callback success!

Re: GP Client and DUO 2F Very strange behavior

Arnesh — Fri, 16 Dec 2022 10:53:50 GMT

Hi @zenithnetworks

I have not observed this kind of issue, however, have you tried increasing the timeout as suggested in the Duo document?

Increase the "Timeout" to at least 30 (60 recommended if using push or phone authentication).

Suspecting this to a timeout issue. Do you think it take more than 30secs for the call to be received?

This need to be done in the RADIUS server settings > GUI > Device > RADIUS

Regards,

topic GP Client and DUO 2F Very strange behavior in GlobalProtect Discussions

GP Client and DUO 2F Very strange behavior

Re: GP Client and DUO 2F Very strange behavior