AD trouble after installing content version 729

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

AD trouble after installing content version 729

L3 Networker

We had problems with AD after installing content version 729 this morning. Users were authenticated, but the logon process (group policy, drive mapping) was painfully slow. After we reverted to version 727 everything was OK again. The strange thing is that I see no traffic to our AD controllers being stopped by the firewall.

 

Anybody else seen this? We're using two PA-5050 in HA (active/passive) running PAN-OS 7.1.10.

52 REPLIES 52

L0 Member

We had big problems too!! Group policy and drive mapping Problems! We have reverted to V726.

 

PA 5050 Cluster (Active/Passive)

PanOS 7.1.7

We also had big AD issues after upgrading to 729

 

PA-7050 in HA running 7.1.10

 

Seemes fixed afer we reverted to 727

 

EDIT:

Our own preliminar analysis indicates problems with LDAP (at least) after we upgraded to 729; we noticed the packet buffer was unusually high, and the average duration for LDAP sessions drastically increased, so our best guess is that it was having issues identifying LDAP AppID.

L2 Linker

We experienced LDAP traffic problems also today on our PA with content update 729-4193. We identified a policy that used application filtering with application-default service ports, as we saw undecided traffic on port 389. We resolved this temporarily by changing service ports to any. Our policies that used service ports exclusivly was not affected.

Two of our customer had the same issue this morning.

We have rolled back to 727 to avoid the problem.

 

PA-5060 PANOS 7.1.10 Active/Passive. We use any as Application and Service. We have only AS,AV VP Profiles enabled.

 

Thanks.

Jacopo

L0 Member

Our Exchange 2013 servers stopped working when version 729 was downloaded and applied last night.  In the Windows event logs, the Exchange servers were complaining about problems with the Exchange topology and not being able to find a valid domain controller,  Event IDs, 2130 2142 2070.

 

We did have LDAP communication from the Exchange servers to the DC being allowed through our PA 3050s, but most flows were very small, ~464 bytes.  

 

I reverted to version 727 and almost immediately the Exchange servers restarted their services and started servicing email. 

L1 Bithead

We had issues this morning I'm not sure what all was affected but as soon as I reverted to 727 everything started working.  

 

5060's running 7.1.10

L2 Linker

Content 729 has been removed now

L0 Member

Same here.  We had more than just AD problems too.  We had ssl problems from servers to internet services not working as well as problems with port based connections (app and service = any) for internal server to server connections.  All were resolved when we rolled back to 727.

We noticed problems whit sip session - not only ldap

 

Word on the street is the content team is working on resolving the issue, I would expect a fix in the next 24 hours. 

 

Also its always worth setting a delay on the download/install just to protect yourselves against this sort of issue. We set a 24 defer period on our estate. Saved us a few times

L2 Linker

We were seeing various issues with authentication and various traffic breaking on our 7050 HA pairs.

Reverted the App and Threat content version to 726 which resolved all issues.

Our Palo partner suggested a 72 hour delay on content updates.  Interestingly you don't seem to be able to configure a delay in Panorama only on the devices themselves.

L4 Transporter

We ran into the same issues with content 729.  Rolling back to 727 resolved our issues.  

 

I'm thinking that delaying it by 24 hours sounds like a good idea.  I saw a post above stating that they waiting 72 hours inbetween updates.

 

By waiting to long it seems we run into a chicken and the egg scenario.  What are the dangers where Threats and App-ID are not updated?   I assume there could be a window where new Vulnerabilities may not be addressed or changes by the vendors for App-ID may not be properly identified correctly by Policy rules.

 

Thoughts?


Matt

L4 Transporter

We are also experiencing many issues with 729 and connections related PACS images and interface engines.  Removing Threat, resolves all issues.

  • 23301 Views
  • 52 replies
  • 10 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!