07-30-2014 04:52 PM
We are using an agentless user id system with four domain controllers. IPv4 and IPv6 is used inside and outside our organization. The PA box fails to identify users that run IPv6. Turning off IPv6 on the Windows clients fixes the problem. The problem is intermittent so it is hard to track down. Running 6.0.3 software.
07-30-2014 05:15 PM
Do you have ipv6 enabled and configured on the Palo Alto?
Have a look at the checklist for ipv6 usage here.
How to Check IPV6 Traffic Routing
08-07-2014 05:21 AM
I checked the 6 steps in the article you provided:
1 - make sure ipv6 is enabled - okay
2 - check ipv6 default route - okay
3 - ping via ipv6 from workstation to firewall internal interface, host name and IP address - okay
4 - ping via ipv6 from firewall external interface to external host - NOT OKAY
5 - ping via ipv6 from firewall internal interface to external host - okay
So this is weird, workstations have no trouble with ipv6, they can visit sites, ping sites and all that. The problem is, agentless user-id is inconsistent with ipv6 clients. Not sure why step 4 from above will not work.
08-07-2014 11:59 AM
The problem seems to be caused when a workstation has multiple ipv6 temp addresses. To test this I did this on my workstation:
netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set privacy state=disabled
reboot
Now the PA box correctly identifies me
I will have to test this long term but so far it has worked for me
08-07-2014 12:21 PM
Thanks for posting the solution. An obscure issue for sure.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
