Just trying to get an idea here if anyone else has ran into this issue, I currently have a ticket open with TAC, but as usual its getting into more of a fight about "thats just how it works" and contact your SE if you want to change it!
I currently am running a portal and a gateway on a 7.0.6 firewall, and two other gateways in geographically diverse locations running 7.0.5-h2. I'm using two-factor authentication with Duo. End users are connecting via 3.0.3 GlobalProtect client.
When a GlobalProtect user connects using Auto Discovery and fails to enter an OTP during a single (not currently configurable) gateway timeout period (or N-1 gateways in environment), the gateway sending the authentication attempt is considered timed out during the sorting results. This causes some of my users to experience latent connections because their first and geographically best gateway is thrown out due to latent OTP authentication. The current two-factor authentication for GlobalProtect just doesn't seem to account for real world circumstances where a user may not have their OTP availible at the start of connection, such as their phone is in another room.
Has anyone else ran into this issue? Do you think I have something configured wrong? How do you combat this? Educating the end user (check your gateway and reconnect, only use manual connections, etc)?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!