Pc does not join into Domain

cancel
Showing results for 
Search instead for 
Did you mean: 

Pc does not join into Domain

Not applicable

Hi,

I can not join into a domain when the computer pass through PA.

This is my scennario:

PC - PaloAlto - Switch - DomainController

The PC and Domain controller are in the same Zone (trust) and I have a security rule: from zone trust, to zone trust, permit all.

I can see a lot og kerberos v5 packet with bad checksum.

Regards,

13 REPLIES 13

The packet is not dropped because when you use packet capture, you can choose different stages. If it was dropped it shoud appear in drop stage, and even if it is dropped or not it should appear on received stage and it does not appears in any stage. It only appears in received stage when I use no session offline.

The PaloAlto has a permit any any any ... and both sides of traffic are in the same security zone. Also multicast is allowed (but it is not a multicast traffic).

This case is only happening in one scenario. We tryed to reproduce it in a lab and we have not this problem.

Since its not reproducable, could it be that the packet have bad checksum or something?

Which with offloading would drop the packet straight away but with offloading disabled would hit the received stage (and then being discarded)?

Hello mikand,

In my wireshark capture (done using port mirroring in the switch) any packet does not show bad checksum error.

When I disable offloading the packet hit the received stage and pass through firewall and users complete the pre-authentication.

This case has appeared when I tried to change a Fortigate firewall with a PaloAlto. With Fortigate firewall the problem did not exists, like PaloAlto without offloading enabled.

This facts let us think it is a PaloAlto issue on his session hardware acceleration but only on this client, because we are not able to reproduce the scenario.

L1 Bithead

Hi All,

 

I also experienced the same issue, do we have already solution on this one? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!