AD Authentication Problem with Secondary Firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AD Authentication Problem with Secondary Firewall

L4 Transporter

HI friends..


I am having two Palo Alto Network ( PAN-PA-3020 ) firewall installed in HA  mode (Active-Passive) .

  My problem is when ever my Primary FW goes down or change to passive and Secondary become Active, My Active directory authentication  becomes fails, however all other things works fine. Please suggest.Thanks


Regards

Satish


14 REPLIES 14

L7 Applicator

Hello Satish,

After the HA failover, did you check the reachability to the AD server from PAN firewall.? Also, verify authd logs for more detail information.

Thanks

L6 Presenter

Hi Satish,

Make sure both the devices have similar authentication configuration, because authentication configuration is not synced via failover.

Regards,

Hardik Shah

L7 Applicator

Reference DOC for more details info--- HA-Sync :Information Synchronized in an HA Pair

Hi Hardik,

let me check if i got any problem i will coordinate with you.apart from this any other configuration i need to consider??

Regards

Satish

Hi Hulk bro.,

Thanks for sharing such kind of use full document.

Regards

Satish

Hi Satish,

Most likely its happening due to configuration differences on both the boxes, verify the same.

Regards,

Hardik Shah

Hi Friends

I am facing such king of issue can you help me plz

AttendeeViewerImage004 - Copy.gif

Hello Satish,

Could you please re-configure the LDAP server credentials on this PAN firewall and let us know the result. It looks like your LDAP credentials were not configured correctly.

Thanks

Hi Hulk Bro..,

same configuration have primary firewall its working fine. but secondary firewall have only issue plz suggest.

Regards

Satish

Hello Satish,

It's not about the configuration, but LDAP credentials. Could you please try to re-enter credentials one more time on the passive node.

Thanks

L6 Presenter

Hi Satish,

Also try to capture traffic between AD server and Firewall, even capture can tell you whats going wrong.

As HULK said if its a authentication issue, you will be able to view in captures.

Capture is greatest friend for security engineers.

Regards,

Hardik Shah

Hi Hardik,

Is this required to Passive device active for the traffic capture or AD authentication verification.

If i am wrong plz correct me. buz customer are asking its not required to passive device to active for the same. 

Regards

Satish

Hello Satish,

I hope the AD server is connected through the management interface. Hence, you need to capture packet on the management interface. It is not necessary to bring the firewall in Active state, in order to capture packet, you can capture in Passive FW as well.

Reference DOC: tcpdump

Hope this helps.

Thanks

Hi Hulk Bro.,

I have re-enter credentials on the passive node. but i am facing same issue.

Regards

Satish

  • 5139 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!