https://live.paloaltonetworks.com/t5/general-topics/global-protect-ldap-cert-auth-auth-fail-and-auth-success/m-p/10985#M8111 <HTML><HEAD></HEAD><BODY><P>I agree with Hardik.</P><P></P><P>If there is a bug that was fixed in 5.0.14 your support engineer should be able to give you the bug number and a reference in the release notes.</P></BODY></HTML> Tue, 26 Aug 2014 20:03:54 GMT pulukas 2014-08-26T20:03:54Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ldap-cert-auth-auth-fail-and-auth-success/m-p/10983#M8109 <HTML><HEAD></HEAD><BODY><P>Is anyone else running this setup...</P><P></P><P>Global Protect VPN(iPads specifically) using LDAP(Active Directory) AND client certificate for authentication.</P><P></P><P>...if you are, have you noticed in the System logs, when a user authenticates to Global Protect the PA logs one or two Auth Fails followed by an Auth Success?</P><P></P><P>Our users are not noticing anything on their end, but looking at packet captures, it looks like the PA never sends the LDAP request for the first two Auth Fails, then finally sends it on the third Auth.</P><P></P><P>Currently on 5.0.11.&nbsp; PA Support says to upgrade to 5.0.14, although I did not read anything in the release notes about this being fixed.</P></BODY></HTML> Tue, 26 Aug 2014 14:10:50 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ldap-cert-auth-auth-fail-and-auth-success/m-p/10983#M8109 jambulo 2014-08-26T14:10:50Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ldap-cert-auth-auth-fail-and-auth-success/m-p/10984#M8110 <HTML><HEAD></HEAD><BODY><P>Hi Jambulo,</P><P></P><P>If you have seen packet capture, and verified firewall didnt send packets in first two attempts. Then its certainly a bug.</P><P></P><P>Before upgrade to 5.0.14, you should ask engineer for root cause. And also ask for bug which suggested upgrade to 5.0.14.</P><P></P><P>This will ensure, you will not have same issue after moving to 5.0.14.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 26 Aug 2014 17:49:51 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ldap-cert-auth-auth-fail-and-auth-success/m-p/10984#M8110 hshah 2014-08-26T17:49:51Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ldap-cert-auth-auth-fail-and-auth-success/m-p/10985#M8111 <HTML><HEAD></HEAD><BODY><P>I agree with Hardik.</P><P></P><P>If there is a bug that was fixed in 5.0.14 your support engineer should be able to give you the bug number and a reference in the release notes.</P></BODY></HTML> Tue, 26 Aug 2014 20:03:54 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ldap-cert-auth-auth-fail-and-auth-success/m-p/10985#M8111 pulukas 2014-08-26T20:03:54Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ldap-cert-auth-auth-fail-and-auth-success/m-p/10986#M8112 <HTML><HEAD></HEAD><BODY><P>Hi Jambulo</P><P></P><P>I have another idea.</P><P>How looks Your authentication sequence?</P><P>Is ther only one profile on profile list?</P><P></P><P>I observed similar logs entries when I have two profiles in one authentication sequence, so PAN tryed to authenticate on first profile and then on next one if was unable to authenticate on the first.</P><P>Please verify that</P><P></P><P></P><P>With regards</P><P>SLawek</P></BODY></HTML> Wed, 27 Aug 2014 09:27:19 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ldap-cert-auth-auth-fail-and-auth-success/m-p/10986#M8112 _slv_ 2014-08-27T09:27:19Z