GP Authentication issues with Symantec VIP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GP Authentication issues with Symantec VIP

L1 Bithead

Hi,

We are running Palo Alto Global Protect with Symantec VIP MFA. We have run this for quite some time now and it has been stable until recently.

We are seeing random errors appearing on one of the validation servers. It seems Palo is sending the request but Symantec is dropping it. A restart of the validation service on VIP EG fix the issue temporarily but it appears atleast once a day everyday.

I have taken a wireshark capture when the error was happening. You can clearly see the firewall making the request with no response from the server and from packet 7527, this is where i restarted the validation service on Syamentec running on the port you can see response going to the firewall.

 

Understand this looks more like a Symantec issue but the change was made on the firewall which triggered these errors. On Palo i have started using Authentication sequence which goes through 3 profiles. 2 X LDAP and last one Radius. 1 x LDAP is not in use and i will be deleting that.

The radius one has been recently added using Okta MFA. Surprisingly when i remove the profile from the sequence on Palo no errors are seen on Symantec VIP MFA server. I have tested this a number of times now at the cost of some operational impact :(. No other way to reproduce the error. Ignore my feeble attempts to mask the IP.

 

 

Firewall requests.png

SYMANTEC LOGs:

INFO "2021-03-22 12:54:30.027 GMT+1100" 0.0.0.0 RADIUS_SCC_ALL:1901 0 0 "text=Sending Acces-Reject for user [amarsh] , reason=47; Invalid Input." Thread-2932 VSAuthOTPStandardControllerImpl.cpp
AUDIT "2021-03-22 12:54:30.027 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 24597 "text=Access DENIED Invalid Input. ,reason=47; Invalid Input." Thread-2932 VSValidationEngine.c
ERROR "2021-03-22 12:55:36.953 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [106_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp
ERROR "2021-03-22 12:55:39.953 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [107_172.18.17.254_46753_] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp
ERROR "2021-03-22 12:55:39.953 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [108_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp
ERROR "2021-03-22 12:55:41.954 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [109_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp
ERROR "2021-03-22 12:55:44.954 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [110_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp
ERROR "2021-03-22 12:55:44.954 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [111_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp
ERROR "2021-03-22 12:55:50.955 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [112_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp
ERROR "2021-03-22 12:56:01.956 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [113_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp
ERROR "2021-03-22 12:56:03.956 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [114_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp
ERROR "2021-03-22 12:56:04.957 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [115_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp
ERROR "2021-03-22 12:56:09.958 GMT+1100" 172.18.17.254 RADIUS_SCC_ALL:1901 0 0 "text=RADIUS request with unique Id [116_172.18.17.254_46753] has timed-out. Dropping the request. Will be purged." Thread-2960 VSAuthManageAuthnRequests.cpp
 
Following was done:
 
Server rebooted but the issue resurfaced next day.
Recreated the service on a different port in Symantec but the issue appeared next day on the new service as the okta profile was still attached.
Timeout increased to 120s but it resurfaced again next day.
Removed Okta radius profile - fixed the issue, 5 days and counting.
 
Need to reenable as i want to use multiple auth profiles and really want to use this feature due to people logging in from different domains and using different MFAs.
3 REPLIES 3

L6 Presenter

Is the RADIUS profile going to Symantec VIP and then to OKTA MFA (please provide info how the RADIUS works and if you are making the SYMANTEC VIP to talk with OKTA ask Symantec if this is possible at all)? Why not directly integrate Okta MFA without RADIUS as this is supported by palo alto?

 

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-multi-factor-auth...

No. Symantec doesnt talk with Okta as there is no value in doing that. they
are independent. I have the sequence like below:

Symantec Radius on port 1901
Symantec Radius on port 19xx (for a different user group. this isnt being
used)
Okta Radius

I have also selected the option where it picks the authentication profile
using domain when a user enters their username. So the request doesnt have
to go through options first second and then third. It goes straight to 3 as
here is where the user puts his mail as his username and i can see Palo go
straight to Okta. So then it becomes completely bewildering if the request
doesnt even go to Symantec and it gets stuck.

My suggestion is to try the Okta MFA without RADIUS as it is supported by Palo Alto and test and say if the issue is still there.

  • 2690 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!