topic Re: Policy Based Forwarding - Enforce Symmetric Return in Integration Discussions

Policy Based Forwarding - Enforce Symmetric Return

HengTIDC — Tue, 13 Nov 2018 08:38:12 GMT

Dear All,

I integrade PALOALTO to Tacacs+ for authenticator, but I got message error as below

Authentication to TACACS+ server at '192.168.101.46' for user 'user1'
Server port: 49, timeout: 10, flag: 0
Egress: 192.168.101.42
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
Authorization request is created
Authorization request sent with priv_lvl=1 user=user1 service=PaloAlto protocol=
firewall
Authorization failed: Return code: 17 Illegal packet (version=0xc1 type=0x02)
Authentication/authorization failed against TACACS+ server at 192.168.101.46:49
for user user1

Anyone encounter this issue ?

Re: Policy Based Forwarding - Enforce Symmetric Return

jhochberg — Tue, 12 Mar 2019 22:32:26 GMT

Hello,

The message body of this post (TACACS issue) doesn't seem to correlate to the subject line (Policy Based Forwarding).

Have you opened a support case regarding the TACACS message you posted?

Which version of PAN-OS are you running on your firewall?

I know there was at least one case where a bug was identified based on how the firewall was sending an invalid message to the TACACS+ server - the resulting behavior was logged the same as you depict in your post. That particular issue was fixed in PAN-OS 8.0.15.

Please keep in mind that there will always be cases where further investigation is required in order to obtain the root cause before a final resolution is determined. If you are still experiencing this issue, I would recommend that you open a support case to get assistance with this.

Thanks for your post!

Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA | USA

The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.

Re: Policy Based Forwarding - Enforce Symmetric Return

singhup — Thu, 23 May 2019 08:52:34 GMT

Hi,

You have successful authentication from TACACS but there is a missing VSA due to which authorization is failing. To resolve this, configure VSA with string value as Superuser on the TACACS server.

Regards

Re: Policy Based Forwarding - Enforce Symmetric Return

jhochberg — Tue, 11 Jun 2019 15:21:20 GMT

@singhup thanks for your response!

@HengTIDC please try the recommended solution and let us know if that works for you.

Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA | USA

Re: Policy Based Forwarding - Enforce Symmetric Return

singhup — Tue, 11 Jun 2019 15:59:13 GMT

You’re welcome. I’m glad that my TAC experience is useful for others.