GP Client and DUO 2F Very strange behavior

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GP Client and DUO 2F Very strange behavior

L1 Bithead

Thoughts and ideas are welcome.  Note, I have yet to tune the GP APP on the portal.

 

Okay... I would like to keep this brief, but I have conducted numerous tests and lots of log files.  This is a new implementation and I will tell you what is "broken" and what is NOT broken.  Customer is using GP client ver 6.1 and 5.2.6-87.

 

1. GP client successfully auth to 1f ldap, sussceefully auth to 2f DUO proxy server, using DUO app on iphone, message arrive to accept or reject, I accept and all is perfect.

 

2. Same scenario as above 1, but now DUO is set to actually ring / call the user phone... phone rings.. # to accept and then GP client immediately closes indicating cannot find gateway.  Remember, using DUO app and accept all works well.

 

3. To eliminate the GP components, I did the following... I setup a firewall admin account to when the test admin account logs to the firewall, auth against the DUO Proxy and in this test on the firewall I am using the same radius server and auth profile as above... I test by https to the firewall mgt interface... I enter my creds... I am not doing 1stF, just auth against DUO Proxy via radius... after I enter my firewall admin creds...DUO call me, I accept the call and hit # and I can login to the firewall.  This is similar to 2 above, but I am not using GP and DUO works and I can login.

 

This is a little crazy.  I have lots of interesting logs and from the firewall authd.log... everything is great.. no failures.  The GUI GP logs too look good, but I need to retest.

 

Something interesting from the GP Client logs.....

 

PanGPA log...

 

(P1640-T6924)Info (3368): 12/13/22 14:25:08:190 PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RECEIVING_RESPONSE, this=000001B26A0E86B0)
(P1640-T6924)Info (3368): 12/13/22 14:25:08:190 PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RESPONSE_RECEIVED, this=000001B26A0E86B0)
(P1640-T6924)Info (3368): 12/13/22 14:25:08:190 PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE, this=000001B26A0E86B0)

 

(P1640-T6924)Debug(2366): 12/13/22 14:25:08:190 got header ready event, exit wait loop now

 

(P1640-T6924)Info (2432): 12/13/22 14:25:08:190 http request status code = 502

 

(P1640-T6924)Error(2575): 12/13/22 14:25:08:190 Unexpected http status 502

 

(P1640-T6924)Error(4585): 12/13/22 14:25:08:190 winhttpObj, error! ipaddress vpn.company.com
bRetryWithoutCert is 0, bClientCertNeeded=0

 

(P1640-T6924)Info (3368): 12/13/22 14:25:08:190

 

PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING, this=000001B26A0E86B0)
(P1640-T6924)Debug(3459): 12/13/22 14:25:08:190 handle 67f38be0 closed
(P1640-T6924)Debug(3463): 12/13/22 14:25:08:190 REUSE, request closed
(P1640-T6924)Info ( 860): 12/13/22 14:25:08:190 wait for closing callback success!

1 REPLY 1

L2 Linker

Hi @zenithnetworks 

 

I have not observed this kind of issue, however, have you tried increasing the timeout as suggested in the Duo document?

  1. Increase the "Timeout" to at least 30 (60 recommended if using push or phone authentication).

Suspecting this to a timeout issue. Do you think it take more than 30secs for the call to be received?

This need to be done in the RADIUS server settings > GUI > Device > RADIUS

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!