Hello All,
PA3020
PAN-OS 7.1.4-h2
Having a strange issue with Captive Portal on PA3020 where the captive portal just suddenly has stopped working. Did a management server restart, tested with the PC directly connected into the Guest-VLAN over the wire received a CP page and was able to surf the internet. Same VLAN on the other location (different building but same subnet), same VLAN but this time mobile phone wirelessly no joy. CP URL can be resolved to the correct PA IP address but the page just not appearing (not presented by PA) so l cannot type username /password hence the user is unknown and no network/internet access. Where do l look for the logs in the tech support file?
Can see some of the issues have been resolved in the next release but not sure if l am hitting one of the below bugs:
Thx,
Myky
Was interesting one 🙂 But the issue was quite obvious. Palo is configured as syslog listener. It receives a syslog messages from the Kiwi syslog server (fed by Aerohive APs, 120 in total I think). With TAC from the PCAP we could see that the unknown user is coming from the Kiwi as "username= no" syslog string but the Palo syslog parser was mapping that user to "n". So in the end all users were mapped as "domain\n" username hence no CP was presented (as all users have ip addresses). Initially, we have configured ignore user with "domain\n", that didn't work (unknown users mapping time out still was refreshing by syslogs). Took off the domain and left an "n" only and that worked:
Thanks all for the help
EDIT: Upgrade device to the 7.1.9 didn't help
@Raido_Rattameister l cannot even locate the file:
> less mp-log appweb3-l3svc.log
Strange issue. Today did another test. l was connected to the wifi with the same test PC, it is open SSID network without the authentication. So once l connected l can access resources locally and even withing the different zone where no auth required. Trying access the internet, the policy has a user-id enable with CP. Opening google.com, dns works fine, traffic logs shows that the client is sending some bytes/packets to the Palo interface (Palo interface configured a CP portal as well as the default gateway for the clients). 0 packets sent back to the client, and PCAP shows all traffic is dropped.
Then another test manually typing a CP URL into the Chrome as below:
http://guestportal.xxx
https://guestportal.xxx
http://10.128.32.1
https://10.128.32.1
none of the above work
But l was suddenly redirected when l typed random URL but this time l used 6082 port number:
So Captive Portal has appeared and l was able to input my username/password and successfully was able to browse the internet. For some reasons, http and https requests are not getting redirected to the Captive Portal:
Any thoughts guys?
Thx,
Myky
Was interesting one 🙂 But the issue was quite obvious. Palo is configured as syslog listener. It receives a syslog messages from the Kiwi syslog server (fed by Aerohive APs, 120 in total I think). With TAC from the PCAP we could see that the unknown user is coming from the Kiwi as "username= no" syslog string but the Palo syslog parser was mapping that user to "n". So in the end all users were mapped as "domain\n" username hence no CP was presented (as all users have ip addresses). Initially, we have configured ignore user with "domain\n", that didn't work (unknown users mapping time out still was refreshing by syslogs). Took off the domain and left an "n" only and that worked:
Thanks all for the help
EDIT: Upgrade device to the 7.1.9 didn't help
