This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Captive portal not getting login prompt with IE11.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive portal not getting login prompt with IE11.

inderjit21
L3 Networker

‎05-10-2016 07:24 PM

PANOS- 7.0.6 . I am not getting prompted for captive portal login sometimes with ie11. works with firefox.

 

1 person had this problem.
0 Likes Likes
3 REPLIES 3

rmonvon
L6 Presenter

‎05-11-2016 07:17 AM

Hi...I would recommend checking the SSL cert that is use by Captive Portal and making sure it is accepted by IE11.  However, if it is working intermittently with IE11, I would suggest that you contact Support to have it looked at.

 

Thanks,

0 Likes Likes

mr.linus
L4 Transporter

‎06-29-2017 03:24 AM

Hey,

 

I had the exact same issue and was able to indentfy the root cause:
IE11 with: "Bing" Add-on enabled + search in the address bar enabled

 

If you check with a http watch you can see what is going wrong:

  • When you use IE with the bing add-on and you start to type the url, in the background for each letter you type a new get requests to api.bing.com/xxx is sent out
  • If you type really slowly you can see the captive portal replying with a redirect for each get request
  • If you type quikcly however, it seems like the captive portal has some kind of rate limitting and is not replying to each request
  • This behaviour means that if you type in the full url and press enter immediatly, you can see in the http-watch:
    1) a number of api.bing.com get requests while typing the url
    2) redirect replies from the captive portal for these get requests
    3) the actual get request for the full url
    4) NO redirect reply
    => A blanc page gets displayed
  • If hoewever, you type in the full url and WAIT 1 second before you press enter, you can see in the http-watch:
    1) a number of api.bing.com get requests while typing the url
    2) redirect replies from the captive portal for these get requests
    WAIT 1 second when you have completed the url and then press enter
    3) the actual get request for the full url
    4) a redirect reply from the captive portal
    => Now the captive portal page is shown
  • If you dissable the Bing search add-on, the issue dissapears
    1) No api.bing.com get requests are sent out by the browser as you type in the url
    2) When you press enter after filling in the full url (even without waiting)
    => The captive portal page is displayed immediatly since this is the first redirect that needs to be sent to the client

Root Cause:

It seems like the captive portal is rate limmited and is not answering to all requests

 

Solution:

I have a support case open for this, will answer if they have found a solution

0 Likes Likes

mr.linus
L4 Transporter
In response to mr.linus

‎10-04-2017 06:24 AM

I got an answer from TAC to confirm the PA is indeed rate limitting these requests

 

If the client sends a lot of HTTP requests to the firewall, the firewall may drop the connection because this went beyond the captive portal limit. By default, the firewall captive portal has a maximum limit of 1 request every 2 seconds from any client. 

Default settings is PAN firewall to only redirect 1 GET request per 2 seconds per src IP (other connections get TCP RST). 

In order to change this behavior we imposed the following commands : 
>configure 
#set deviceconfig setting ctd cap-portal-ask-requests 2 
#set deviceconfig setting ctd cap-portal-ask-timeout 1 
#commit 

For the setting above, it will mean increasing the number of request per second (timeout) per IP address to 2, just enough to accommodate our needs and not to create a condition where MP can be overwhelmed with HTTP redirects

To see the dropped requests you can configure a filter to match client's requests and then list the delta for global counters and search for counter named ctd_cp_drop. In my example 25 requests were dropped
admin@PA-3020> show counter global filter packet-filter yes delta yes | match ctd_cp_drop
ctd_cp_drop 25 0 info ctd pktproc The number of sessions dropped because of captive portal page
admin@PA-3020>

When bing extension is used, it would generate 1 HTTP GET request for one character. Thus, after typing a long URL the limit of 1 GET request per 2 seconds can be easily reached.


0 Likes Likes
  • 3673 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks