.png "Satish"){kind=avatar}
07-28-2014 08:56 AM
HI friends..
I am having two Palo Alto Network ( PAN-PA-3020 ) firewall installed in HA mode (Active-Passive) .
My problem is when ever my Primary FW goes down or change to passive and Secondary become Active, My Active directory authentication becomes fails, however all other things works fine. Please suggest.Thanks
Regards
Satish
07-28-2014 09:03 AM
Hello Satish,
After the HA failover, did you check the reachability to the AD server from PAN firewall.? Also, verify authd logs for more detail information.
Thanks
07-28-2014 09:03 AM
Hi Satish,
Make sure both the devices have similar authentication configuration, because authentication configuration is not synced via failover.
Regards,
Hardik Shah
07-28-2014 09:07 AM
Reference DOC for more details info--- HA-Sync :Information Synchronized in an HA Pair
07-28-2014 09:12 AM
Hi Hardik,
let me check if i got any problem i will coordinate with you.apart from this any other configuration i need to consider??
Regards
Satish
07-28-2014 09:14 AM
Hi Hulk bro.,
Thanks for sharing such kind of use full document.
Regards
Satish
07-28-2014 09:16 AM
Hi Satish,
Most likely its happening due to configuration differences on both the boxes, verify the same.
Regards,
Hardik Shah
07-28-2014 11:47 PM
Hi Friends
I am facing such king of issue can you help me plz
07-29-2014 12:03 AM
Hello Satish,
Could you please re-configure the LDAP server credentials on this PAN firewall and let us know the result. It looks like your LDAP credentials were not configured correctly.
Thanks
07-29-2014 01:58 AM
Hi Hulk Bro..,
same configuration have primary firewall its working fine. but secondary firewall have only issue plz suggest.
Regards
Satish
07-29-2014 06:58 AM
Hello Satish,
It's not about the configuration, but LDAP credentials. Could you please try to re-enter credentials one more time on the passive node.
Thanks
07-29-2014 07:20 AM
Hi Satish,
Also try to capture traffic between AD server and Firewall, even capture can tell you whats going wrong.
As HULK said if its a authentication issue, you will be able to view in captures.
Capture is greatest friend for security engineers.
Regards,
Hardik Shah
07-30-2014 02:06 AM
Hi Hardik,
Is this required to Passive device active for the traffic capture or AD authentication verification.
If i am wrong plz correct me. buz customer are asking its not required to passive device to active for the same.
Regards
Satish
07-30-2014 02:15 AM
Hello Satish,
I hope the AD server is connected through the management interface. Hence, you need to capture packet on the management interface. It is not necessary to bring the firewall in Active state, in order to capture packet, you can capture in Passive FW as well.
Reference DOC: tcpdump
Hope this helps.
Thanks
07-30-2014 02:37 AM
Hi Hulk Bro.,
I have re-enter credentials on the passive node. but i am facing same issue.
Regards
Satish
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
