GP VPN users cant connect when we run PAN-OS 8.1

Reply
Highlighted
L2 Linker

GP VPN users cant connect when we run PAN-OS 8.1

Hi

 

Has anyone had any issues with users connecting in using global protect once they have upgraded from PAN-OS 8.0.15 to any version of 8.1?

 

I had a change window the other night and updated to 8.1.6 which everything worked fine except for VPN access, people connecting in would constantly be prompted to type in the token passcode. We could see errors on our RADIUS server and RSA servers but nothing in the system log on the firewall. As soon i failed back to using 8.0.15 VPN access was restored. I have logged a tech support call about this  and pointed out there was a bug we had last year that was fixed but it seems that maybe in 8.1 either this fix hasnt been applied or in 8.1 GP clients log in differently? I am still waiting for TAC to get back to me but i just thought i would reach out on here as well. We are still running GP version 3.1.5-9 as well

Tags (3)

Accepted Solutions
Highlighted
L7 Applicator

Re: GP VPN users cant connect when we run PAN-OS 8.1

Thats probably because your radius name is the same as your AD name, My AD name is dotted.

 

so i ran a radius debug and it is not only sending dotted username bur also AD password......   read on....

 

 

OK got it sussed...

 

you need to change the portal app setting  "use single sign on" from "yes" to "no".   default is yes and this never made much difference before but I do know they made a lot of updates to SSO in 8.1 so probably fixed it too much... Ha ha.

 

this is now working for me and breaks again wen SSO is set to yes.

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: GP VPN users cant connect when we run PAN-OS 8.1

it's a shame you cannot replicate the issue on a test box.

 

when the users were re prompted for passcode was it for the gateway or the portal.

 

if the gateway only then maybe an issue with authentication overide, if portal (or web page to portal) then it may simply be an issue regarding pap/chap

 

what was the error on RSA/Radius servers.  

Highlighted
L2 Linker

Re: GP VPN users cant connect when we run PAN-OS 8.1

Hi

 

from the end users perspective it was from the global protect client that kept on asking them to enter a passcode again so i would say it from the portal, NOT the gateway.

 

On our RADIUS server you would see 2 hits for each attempt, one success and one failure. Even though at the other end (VPN client end) the user would just be prompted for a passcode again. The RADIUS logs say user authentication failed, check RSA logs. 

 

RSA has a bit more info but seems to point to the user not putting in the correct token code or bad PIN, which i would normally believe but we tried a couple of IT people to test and they couldn't all forget their PIN or type in an incorrect token code at the same time, but then get it working when we tried it on the firewall running 8.0.15. That's why i was thinking maybe something had changed between 8.0 and 8.1 or maybe GP version we have isnt supported in 8.1?

Highlighted
L7 Applicator

Re: GP VPN users cant connect when we run PAN-OS 8.1

OK thanks for the update.

 

your monitor/system will show you where the auth is failing but no good to you now i suppose

 

when the user was prompted to re-enter the passcode, did they wait for it to change?

Highlighted
L2 Linker

Re: GP VPN users cant connect when we run PAN-OS 8.1

I even tested it at the same time tried a few things, made sure the i had the correct pin, token wasnt about to expire, even waited for a next token code but still nothing.

 

It seems there may be nothing obvious that has changed but i will have to wait for TAC to get back to see if they can think of anything, but i am probably going to have to schedule in some time out of hours upgrade again and test it again and again

Highlighted
L7 Applicator

Re: GP VPN users cant connect when we run PAN-OS 8.1

sure, you do not have much choice, i have just bumped my QA pair to 8.16 from 8.10 to see what happens...  

 

sorry... 8.16 from 8.00

Highlighted
L7 Applicator

Re: GP VPN users cant connect when we run PAN-OS 8.1

OK upgrade and re prompted for gateway auth, so something has broke...   I will check the logs...

Highlighted
L2 Linker

Re: GP VPN users cant connect when we run PAN-OS 8.1

ah ha, so im not the only one that has this issue

Highlighted
L7 Applicator

Re: GP VPN users cant connect when we run PAN-OS 8.1

well at least 2 of us are... I can see what is going wrong...

 

Please hold caller....

Highlighted
L7 Applicator

Re: GP VPN users cant connect when we run PAN-OS 8.1

It is modifying the gateway username, i have no idea why....

 

it is not using the auth overide cookie and is also adding a dot (.) notation to the logon name.

 

as you can see below.... the first auth is OK at 12:51:44 so portal is done, 4 seconds later it tries to re-use the passcode but with a dot notation.

 

I'm gonna try to re configure auth overide.

 

Untitled.png

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!