11-07-2018 10:15 AM
For globalprotect I have a radius server profile with two servers in it. I have noticed that all authentication goes to the first server in the list all the time. And that works. However, in testing, I have shut off the first server and the firewall never tries to send authentcation to the second server. If I use the "test authentication" command on the firewall CLI, it does fail over to the second server and authentication succeeds. If I go back to the globalprotect client and try again, the firewall only tries the first server and authentication fails. I have verified this with packet captures on the actual radius servers.
This seems to be incorrect behavior. Is it possible that there is a known bug about this? I'm using the same authentication profile in the globalprotect portal configuration as I am on the test CLI command.
11-07-2018 12:32 PM
To know if you are hitting a known bug, we would need to know your PAN-OS version and GP agent version 😉
I recall this issue a while ago this issue was brought up and the fix was modifying the retries and timout values lower; something with that agent version was timing out the authentication on the agent side of things before getting a response. That particular issue if I recall correctly had much higher values in both fields however.
11-07-2018 12:43 PM
Our PAN-OS is 8.0.10. Maintenance night is next Friday, we'll jump to 8.0.13 at that point unless 8.0.14 gets released before then.
Globalprotect is 4.1.5.
I tried setting the timeout to 1 second and retries to 1 in the server profile, but that didn't make a difference. The globalprotect client says "connecting..." for a good 30 seconds before giving up (I haven't timed it, but it's feels long). The CLI fails over to the second server in the 1 second timeout that's configured.
11-07-2018 01:01 PM
I don't think it's your PAN-OS version, nothing in the release notes point towards a fix for anything to do with RADIUS between those versions. You could be running into GPC-7215 if you are using SSO.
11-08-2018 06:58 AM
yes @BPry i remember that post too!
unfortunately the poster never updated so still hanging...
the main pont to remember is that the max retries is 5.
so if you have 2 servers then only set retries to 3. (or less)
I have just tested 4.15, i have radius server profile with 2 laptops running wireshark.
the timeout is 3 and retries is 3.
i see the first laptop get 3 radius requests with about a 3 to 3.5 second interval.
i then see laptop 2 get 2 radius requests (total 5) with similar intervals.
as soon as the second one times out my GP client re prompts for username and password so all looking OK.
i cannot think why you would have such an issue... i have tested this on V7.1x and 8.08
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
