LDAP auth not working for Palo login

Thanks for your reply Reaper. 

Where would I configure service connections, I do not think I have done that part..

Also for checking connectivity there is no drop down option within the ldap profile as seen below..

Service connections are in device > setup > services >service route configuration

In regards to the dropdown, this will only work when you do this from the firewall, not panorama

All firewalls within the network use default management for all services so I believe this is correct.

As for the dropdown it states read only on the firewall..

Here is the tcpdump...

admin@Firewall01> view-pcap mgmt-pcap mgmt.pcap

reading from file /opt/pan/.debug/mgmtpcap/mgmt.pcap, link-type EN10MB (Ethernet)

11:28:37.895803 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [S], seq 3465360357, win 29200, options [mss 1460,sackOK,TS val 414589708 ecr 0,nop,wscale 7], length 0

11:28:37.896330 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47368: Flags [S.], seq 2111673635, ack 3465360358, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

11:28:37.896392 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [.], ack 1, win 229, length 0

11:28:37.897962 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 1:290, ack 1, win 229, length 289

11:28:37.899518 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47368: Flags [P.], seq 1:3773, ack 290, win 8212, length 3772

11:28:37.899560 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [.], ack 3773, win 288, length 0

11:28:37.911228 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 290:460, ack 3773, win 288, length 170

11:28:37.912785 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47368: Flags [P.], seq 3773:3824, ack 460, win 8211, length 51

11:28:37.912992 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 460:565, ack 3824, win 288, length 105

11:28:37.913689 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47368: Flags [P.], seq 3824:3963, ack 565, win 8211, length 139

11:28:37.913934 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 565:601, ack 3963, win 310, length 36

11:28:37.913976 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 601:632, ack 3963, win 310, length 31

11:28:37.914003 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [F.], seq 632, ack 3963, win 310, length 0

11:28:37.914453 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47368: Flags [R.], seq 3963, ack 632, win 0, length 0

11:28:39.128436 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [S], seq 2893699587, win 29200, options [mss 1460,sackOK,TS val 414590940 ecr 0,nop,wscale 7], length 0

11:28:39.128969 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [S.], seq 1970587809, ack 2893699588, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

11:28:39.129018 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [.], ack 1, win 229, length 0

11:28:39.130518 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 1:290, ack 1, win 229, length 289

11:28:39.132071 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [.], seq 1:2921, ack 290, win 8212, length 2920

11:28:39.132109 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [.], ack 2921, win 274, length 0

11:28:39.132124 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [P.], seq 2921:3773, ack 290, win 8212, length 852

11:28:39.132143 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [.], ack 3773, win 297, length 0

11:28:39.145406 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 290:460, ack 3773, win 297, length 170

11:28:39.147020 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [P.], seq 3773:3824, ack 460, win 8211, length 51

11:28:39.147353 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 460:565, ack 3824, win 297, length 105

11:28:39.148024 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [P.], seq 3824:3963, ack 565, win 8211, length 139

11:28:39.148655 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 565:601, ack 3963, win 320, length 36

11:28:39.148700 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 601:632, ack 3963, win 320, length 31

11:28:39.148727 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [F.], seq 632, ack 3963, win 320, length 0

11:28:39.149190 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [R.], seq 3963, ack 601, win 0, length 0

Hi Cosim, 

 Thanks for that. I have added the certs as they were missing and re-added the Bind DN and password.

I can see in the logs the errors below. Do I require a policy to allow a connection to the DNS or LDAP servers as I have not added any..

I can ping the DNS name of the LDAP servers from the firewall CLI, and traceroute without issue