Is anyone else running this setup...
Global Protect VPN(iPads specifically) using LDAP(Active Directory) AND client certificate for authentication.
...if you are, have you noticed in the System logs, when a user authenticates to Global Protect the PA logs one or two Auth Fails followed by an Auth Success?
Our users are not noticing anything on their end, but looking at packet captures, it looks like the PA never sends the LDAP request for the first two Auth Fails, then finally sends it on the third Auth.
Currently on 5.0.11. PA Support says to upgrade to 5.0.14, although I did not read anything in the release notes about this being fixed.
If you have seen packet capture, and verified firewall didnt send packets in first two attempts. Then its certainly a bug.
Before upgrade to 5.0.14, you should ask engineer for root cause. And also ask for bug which suggested upgrade to 5.0.14.
This will ensure, you will not have same issue after moving to 5.0.14.
I agree with Hardik.
If there is a bug that was fixed in 5.0.14 your support engineer should be able to give you the bug number and a reference in the release notes.
I have another idea.
How looks Your authentication sequence?
Is ther only one profile on profile list?
I observed similar logs entries when I have two profiles in one authentication sequence, so PAN tryed to authenticate on first profile and then on next one if was unable to authenticate on the first.
Please verify that
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!