08-30-2017 01:05 AM
We had problems with AD after installing content version 729 this morning. Users were authenticated, but the logon process (group policy, drive mapping) was painfully slow. After we reverted to version 727 everything was OK again. The strange thing is that I see no traffic to our AD controllers being stopped by the firewall.
Anybody else seen this? We're using two PA-5050 in HA (active/passive) running PAN-OS 7.1.10.
08-30-2017 01:51 AM - edited 08-30-2017 01:56 AM
We had big problems too!! Group policy and drive mapping Problems! We have reverted to V726.
PA 5050 Cluster (Active/Passive)
PanOS 7.1.7
08-30-2017 02:23 AM - edited 08-30-2017 03:46 AM
We also had big AD issues after upgrading to 729
PA-7050 in HA running 7.1.10
Seemes fixed afer we reverted to 727
EDIT:
Our own preliminar analysis indicates problems with LDAP (at least) after we upgraded to 729; we noticed the packet buffer was unusually high, and the average duration for LDAP sessions drastically increased, so our best guess is that it was having issues identifying LDAP AppID.
08-30-2017 03:55 AM - edited 08-30-2017 04:04 AM
We experienced LDAP traffic problems also today on our PA with content update 729-4193. We identified a policy that used application filtering with application-default service ports, as we saw undecided traffic on port 389. We resolved this temporarily by changing service ports to any. Our policies that used service ports exclusivly was not affected.
08-30-2017 06:31 AM - edited 08-30-2017 06:33 AM
Two of our customer had the same issue this morning.
We have rolled back to 727 to avoid the problem.
PA-5060 PANOS 7.1.10 Active/Passive. We use any as Application and Service. We have only AS,AV VP Profiles enabled.
Thanks.
Jacopo
08-30-2017 07:18 AM
Our Exchange 2013 servers stopped working when version 729 was downloaded and applied last night. In the Windows event logs, the Exchange servers were complaining about problems with the Exchange topology and not being able to find a valid domain controller, Event IDs, 2130 2142 2070.
We did have LDAP communication from the Exchange servers to the DC being allowed through our PA 3050s, but most flows were very small, ~464 bytes.
I reverted to version 727 and almost immediately the Exchange servers restarted their services and started servicing email.
08-30-2017 07:21 AM
We had issues this morning I'm not sure what all was affected but as soon as I reverted to 727 everything started working.
5060's running 7.1.10
08-30-2017 07:23 AM
Content 729 has been removed now
08-30-2017 08:02 AM
Same here. We had more than just AD problems too. We had ssl problems from servers to internet services not working as well as problems with port based connections (app and service = any) for internal server to server connections. All were resolved when we rolled back to 727.
08-30-2017 08:05 AM
We noticed problems whit sip session - not only ldap
08-30-2017 08:57 AM
Word on the street is the content team is working on resolving the issue, I would expect a fix in the next 24 hours.
Also its always worth setting a delay on the download/install just to protect yourselves against this sort of issue. We set a 24 defer period on our estate. Saved us a few times
08-30-2017 08:57 AM - edited 08-30-2017 09:01 AM
We were seeing various issues with authentication and various traffic breaking on our 7050 HA pairs.
Reverted the App and Threat content version to 726 which resolved all issues.
08-30-2017 09:01 AM
Our Palo partner suggested a 72 hour delay on content updates. Interestingly you don't seem to be able to configure a delay in Panorama only on the devices themselves.
08-30-2017 09:16 AM
We ran into the same issues with content 729. Rolling back to 727 resolved our issues.
I'm thinking that delaying it by 24 hours sounds like a good idea. I saw a post above stating that they waiting 72 hours inbetween updates.
By waiting to long it seems we run into a chicken and the egg scenario. What are the dangers where Threats and App-ID are not updated? I assume there could be a window where new Vulnerabilities may not be addressed or changes by the vendors for App-ID may not be properly identified correctly by Policy rules.
Thoughts?
Matt
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
