About Chris_Johnston

Timing is perfect as I'm also interested in this.  Per PA docs, not supported OS, but going to open case and check with our SAM as well.   https://docs.paloaltonetworks.com/compatibility-matrix/terminal-services-ts-agent/terminal-services-ts-agent-table.html ... View more

Will need to check your authd.log if you've checked everything from above.  I would also double check your firewall policy to ensure that dataplane source interface/zone is allowed to the other zone that 10.10.10.100 exists in.   I've also noticed theres more helpful information in group mapping failures versus auth attempts (lists bad password/fail to connect/etc).  Do you have group mapping configured for the associated ldap profile?  If you show the group mapping state, what is the output? CLI show user group-mapping state <name of group mapping profile referencing the LDAP Profile>   Future troubleshooting for auth specific, if group mapping is successful. SSH to firewall, issue the following command tail follow yes mp-log authd.log   while that is running, test authentication via another SSH window and paste results (sans business specific information that may be present)     ... View more

As Josh said, upgrade to latest version.  There were changes to the extension used (Kernal versus System) in Catalina, and you'll want 5.1.3. (I believe) minimum, however, there are significnat fixes in 5.1.5 as well. ... View more

In your PanGPS.log, filter off the following: Debug(3221)   The response times it will list are the tcp connection time and ssl handshake time. ... View more

Upgrade to GP 5.1.latest (or 5.2).  GlobalProtect changed their extension mode for Catalina (Kernal to System, or System to Kernal, I can't keep track) so there are going to be compatibility issues until that upgraded. ... View more

Bind timeout - Time spent trying to connect to a server before marking it 'down'.  Will try next in list Search timeout  - Time spent on a successful server attempting a search.  Does not mark it down, just incomplete Retry - Time to 'wait' before reconnecting to a 'down' server (from bind)     When the auth is failing, is it returning an 'auth failed' to the user, or just timing out?  If auth failed, they need to enter their username/pw correctly (in format the DC likes)   Would suggest (since you have two servers) lowing BIND to 10 seconds, leave search as is. For the retry interval - lower is good for a network 'blip'.  Higher is better if you feel the outage will be > 60 second (reboot of server). ... View more

IP to UserMapping is separate than LDAP.    Based off your error message in the first screenshot, 'Failed to create a session with LDAP server', I would point towards a network level issue from the firewall MGMT IP (assuming no custom service routing) and the LDAP controller.  Could also be permissions on the service account used, but I would bet dollars to donuts it's network level.  Also - TLS/389?  I know it's possible, but...might need to swap to port 636   Local auth used in second is just authenticating against the local user database on the FW, no LDAP connection needed ... View more