GP Authentication issues with Symantec VIP

Palo_lover — Mon, 05 Apr 2021 14:03:44 GMT

Hi,

We are running Palo Alto Global Protect with Symantec VIP MFA. We have run this for quite some time now and it has been stable until recently.

We are seeing random errors appearing on one of the validation servers. It seems Palo is sending the request but Symantec is dropping it. A restart of the validation service on VIP EG fix the issue temporarily but it appears atleast once a day everyday.

I have taken a wireshark capture when the error was happening. You can clearly see the firewall making the request with no response from the server and from packet 7527, this is where i restarted the validation service on Syamentec running on the port you can see response going to the firewall.

Understand this looks more like a Symantec issue but the change was made on the firewall which triggered these errors. On Palo i have started using Authentication sequence which goes through 3 profiles. 2 X LDAP and last one Radius. 1 x LDAP is not in use and i will be deleting that.

The radius one has been recently added using Okta MFA. Surprisingly when i remove the profile from the sequence on Palo no errors are seen on Symantec VIP MFA server. I have tested this a number of times now at the cost of some operational impact :(. No other way to reproduce the error. Ignore my feeble attempts to mask the IP.

SYMANTEC LOGs:

INFO "2021-03-22 12:54:30.027 GMT+1100" 0.0.0.0 RADIUS_SCC_ALL:1901 0 0 "text=Sending Acces-Reject for user [amarsh] , reason=47; Invalid Input." Thread-2932 VSAuthOTPStandardControllerImpl.cpp

AUDIT "2021-03-22 12:54:30.027 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 24597 "text=Access DENIED Invalid Input. ,reason=47; Invalid Input." Thread-2932 VSValidationEngine.c

ERROR "2021-03-22 12:55:36.953 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [106_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp

ERROR "2021-03-22 12:55:39.953 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [107_172.18.17.254_46753_] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp

ERROR "2021-03-22 12:55:39.953 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [108_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp

ERROR "2021-03-22 12:55:41.954 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [109_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp

ERROR "2021-03-22 12:55:44.954 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [110_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp

ERROR "2021-03-22 12:55:44.954 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [111_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp

ERROR "2021-03-22 12:55:50.955 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [112_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp

ERROR "2021-03-22 12:56:01.956 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [113_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp

ERROR "2021-03-22 12:56:03.956 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [114_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp

ERROR "2021-03-22 12:56:04.957 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [115_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp

ERROR "2021-03-22 12:56:09.958 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [116_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp

Following was done:

Server rebooted but the issue resurfaced next day.

Recreated the service on a different port in Symantec but the issue appeared next day on the new service as the okta profile was still attached.

Timeout increased to 120s but it resurfaced again next day.

Removed Okta radius profile - fixed the issue, 5 days and counting.

Need to reenable as i want to use multiple auth profiles and really want to use this feature due to people logging in from different domains and using different MFAs.

Re: GP Authentication issues with Symantec VIP

nikoolayy1 — Tue, 06 Apr 2021 13:14:46 GMT

Is the RADIUS profile going to Symantec VIP and then to OKTA MFA (please provide info how the RADIUS works and if you are making the SYMANTEC VIP to talk with OKTA ask Symantec if this is possible at all)? Why not directly integrate Okta MFA without RADIUS as this is supported by palo alto?

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-multi-factor-authentication/configure-mfa-between-okta-and-the-firewall

Re: GP Authentication issues with Symantec VIP

Palo_lover — Tue, 06 Apr 2021 14:04:39 GMT

No. Symantec doesnt talk with Okta as there is no value in doing that. they
are independent. I have the sequence like below:

Symantec Radius on port 1901
Symantec Radius on port 19xx (for a different user group. this isnt being
used)
Okta Radius

I have also selected the option where it picks the authentication profile
using domain when a user enters their username. So the request doesnt have
to go through options first second and then third. It goes straight to 3 as
here is where the user puts his mail as his username and i can see Palo go
straight to Okta. So then it becomes completely bewildering if the request
doesnt even go to Symantec and it gets stuck.

Re: GP Authentication issues with Symantec VIP

nikoolayy1 — Tue, 06 Apr 2021 22:03:24 GMT

My suggestion is to try the Okta MFA without RADIUS as it is supported by Palo Alto and test and say if the issue is still there.

topic Re: GP Authentication issues with Symantec VIP in General Topics

GP Authentication issues with Symantec VIP

Re: GP Authentication issues with Symantec VIP

Re: GP Authentication issues with Symantec VIP

Re: GP Authentication issues with Symantec VIP