I believe we have this issue narrowed down a bit.
Previously, I was seeing periodic authentication failures due to timeout. TAC had me change the timeout value via CLI to 50 seconds (from the default 25 seconds) because periodically the round-trip for the authentication exceeded 25 seconds. This wasn't common but it happened on a few occassionals.
I know see successes and the round-trip is generally 3-6 seconds between the RADIUS Access-Request and the RADIUS Access-Accept packets sent/received on the PAN firewall. The issue is, it often 'loops'.
I'll see a user login to the portal via ISE and then the 'Web Filter' gateway via cookie without issue (normally). Then they select the 'Internal VPN' and there are success messages in the PAN and the Azure logs. However, briefly after (usually 11 seconds as per the logs) they are disconnected from that gateway and dropped back into the 'Web Filter' gateway.
Has anyone seen this behavior before? TAC keeps asking for more and more debugs/captures/etc. but it doesn't feel like we're going to resolve it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!