02-02-2018 07:20 AM
Hi
ive got an issue when a user connects on our VPN using the global protect client the connection will take nearly a minute to connect and in the backgroup create several failures on our Cisco ISE RADIUS server, before finally let the user connect.
I have got calls open with both Palo Alto and Cisco support but i kinda feel like im not getting anywhere, so i thought i would turn to the forums! Cisco seem to think the Palo Alto FW is not sending the packets as per RFC standards so therefore the Ciso ISE server is dropping the packets.
Throughout the ongoing support calls we have done packet captures and we can see that ISE is sending state and class attributes in access accept packet but state attribute (session identification attributes) is missing in the authorize-only request packet from the PaloAlto firewall hence ISE is not able to process the request.
If you have a Palo Alto FW and a Cisco ISE RADIUS server do get these issues?
Cheers
02-02-2018 12:34 PM
Just wondering if you've followed this configuration for using the Cisco ISE with a Palo Alto. You need to include a few VSAs to get everything working correctly.
02-05-2018 01:38 AM
Yeah it was Cisco that mentioned about the VSA which have been changed but still not difference
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
