Policy Based Forwarding - Enforce Symmetric Return

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Policy Based Forwarding - Enforce Symmetric Return

L0 Member

Dear All,

I integrade PALOALTO to Tacacs+ for authenticator, but I got message error as below

Authentication to TACACS+ server at '192.168.101.46' for user 'user1'
Server port: 49, timeout: 10, flag: 0
Egress: 192.168.101.42
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
Authorization request is created
Authorization request sent with priv_lvl=1 user=user1 service=PaloAlto protocol=
firewall
Authorization failed: Return code: 17 Illegal packet (version=0xc1 type=0x02)
Authentication/authorization failed against TACACS+ server at 192.168.101.46:49
for user user1

Anyone encounter this issue ?


4 REPLIES 4

L2 Linker

Hello,

 

The message body of this post (TACACS issue) doesn't seem to correlate to the subject line (Policy Based Forwarding).

 

Have you opened a support case regarding the TACACS message you posted?

 

Which version of PAN-OS are you running on your firewall?

 

I know there was at least one case where a bug was identified based on how the firewall was sending an invalid message to the TACACS+ server - the resulting behavior was logged the same as you depict in your post. That particular issue was fixed in PAN-OS 8.0.15.

 

Please keep in mind that there will always be cases where further investigation is required in order to obtain the root cause before a final resolution is determined. If you are still experiencing this issue, I would recommend that you open a support case to get assistance with this.

 

Thanks for your post!

 

Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA |  USA

 

The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.

L0 Member

Hi,

 

You have successful authentication from TACACS but there is a missing VSA due to which authorization is failing. To resolve this, configure VSA  with string value as Superuser on the TACACS server.

 

Regards

US

@singhup thanks for your response!

 

@HengTIDC please try the recommended solution and let us know if that works for you.

 

Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA |  USA

 

The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.

You’re welcome. I’m glad that my TAC experience is useful for others. 

  • 8944 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!