About dmifsud

Hello,   On this forum it would be difficult to determine the cause of the Portal connection failure, but I have seen this before when Zscalar was blocking a response. It could really be anything at this stage. (P17196-T12160)Debug(1182): 06/09/22 14:46:41:944 PostRequest error code=12152(The server returned an invalid or unrecognized response)   Internal Host Detection is setting which comes from the Portal. If the Portal is inaccessible, as it shows above, then the cached Portal config is used. If you set "Save Username Only" to "No", GlobalProtect will no longer be able to find a cached config, since the name of it includes a hash of the username and relies on saved username to pick it up. That's why you've started to see the issue after disabling it. (P17196-T12160)Debug(8554): 06/09/22 14:46:41:944 Skip retrieve cached portal configuration for empty user   I would recommend saving the username to ensure a cached config can be used in case of connectivity issues to the Portal. To cache the config, the user will still need to make one successful connection though.   For the WINHTTP error  12152, I would start with checking packet captures and seeing if you can rule out any 3rd party intrusive/security software by disabling them temporarily under test conditions.   - DM ... View more

Hello,   You can add groups, but you need to make sure the group has been pulled via your group-mapping config, and that the user is in that group in the right format. Verify with the following commands that: - The group is pulled by group-mapping - The user is listed as being in that group on the firewall - The username format format in the IP mapping matches the format of the use listed in that group, or matches an attribute for that user > show user group-mapping state all > show user group name <group name> > show user ip-user-mapping ip <gp IP while connected> > show user user-attributes user <username>   It's possible that there's a domain mismatch which often happens. Make sure that you have a domain map as well: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFn ... View more

Server monitoring is not the same thing as group mapping. You need to configure a group mapping config under the "Group Mapping" tab.   Once configured, you can start with the following command to check the actual status. It might be that there's an issue connecting to the server on LDAP or something. > show user group-mapping state all   The useridd log will contain the actual connection attempts to LDAP/LDAPS. > less mp-log useridd.log   If you already have a group mapping configured, are you able to browse your LDAP tree from the GUI under your group mapping config -> group include list? If not, you likely have connectivity or authentication issues to LDAP.   If the firewall is actually connecting and you still see 0 groups, you might have the base dn in your LDAP profile set incorrectly. You need to set this either at the root, or to somewhere which is in between the root and where the users and groups are both configured. ... View more

Hi,   As far as I know, this isn't a bug. l3svc just needs to restart on every commit.   It would be worth opening a case with TAC and reporting that this is causing a service interruption for you.   - DM ... View more

When you say the firewall is dropping this, did you see the server hello in the 'drop' stage capture? Or did you see it in the receive stage capture, but not the transmit?   If you see it in the drop stage, you can usually get more info on the drop reason by checking the global counters: - When your pcap filter is set and enabled, log onto the CLI - Run the command 'show counter global filter packet-filter yes delta yes' - Test the connection, allow it to fail - Run the command 'show counter global filter packet-filter yes delta yes' - this time check for any 'drop' counters   It's important that you also check the pcap at the 'transmit' stage - if you see the packet in the transmit stage, it is not dropped by the firewall. 99% of the time when I see and issue with server hello dropping somewhere, it's because of MTU as it's the first part of the handshake which will send a full sized packet.   Basically, make sure you pcap at receive, transmit and drop. Receive only is not enough for a diagnosis.   - DM ... View more

Not PAN-OS specific, but Alt + backspace will delete 1 word at a time (the one before the cursor) - is that what you need?   - DM ... View more

Hesitant to point to any kind of cause, bug included, with such little data, but it could be a packet buffer leak. Are you seeing this on both or just on one? You will want to take action before that hits 100%, might be a good idea to schedule a failover or even restart.   I would advise you get a Tech Support File off of the device and raise a support case with it, along with the screenshot you provided.   - DM ... View more

Hello,   Personally I would set up a packet capture at the receive, transmit and drop stages, then check: 1) Does the firewall transmit the request (assuming yes) 2) Does the firewall receive the response from 8.8.8.8 3) If it does, does it transmit this to the client   You can check the drop capture for any drops, although if the counters are clean you shouldn't be seeing anything there.   Also, open the detailed log view (that magnifying glass at the left-most side of the traffic log) to check NAT was performed and if the NAT IP/interface make sense.   - DM ... View more

Hello,   Windows smart multi-homed name resolution can interfere with this. It will send DNS queries on all adapters: Turn off smart multi-homed name resolution in Windows - gHacks Tech News   It's also true that IPv6 can be used freely if you only have IPv4 GP configured. I don't know why this doc is only available for mobile users/Prisma Access, but the same thing applies to non-mobile users and it is basically about sinkholing the IPv6 traffic towards your GW (Note that this may need a GP GW license, but I assume you have this if you are using Split-DNS). Sinkhole IPv6 Traffic From Mobile Users (paloaltonetworks.com)   Read the first section and then go to 'Set Up an IPv6 Sinkhole On the On-Premise Gateway'.   Probably best if you just disable IPv6 on a client that's having the issue first, just to be sure whether it is IPv6 or not, or just running a pcap on all client interfaces to see if you are getting this from an IPv6 DNS server.   - DM   ... View more

Hi Nagesh,   Please check if this article is applicable: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAcfCAG   - DM   ... View more

Incomplete means 3 way handshake didn't complete.   How many packets sent/received? Usually this is when a SYN is sent but the other side isn't listening or a reply isn't getting back.   Are you sure it's matching the right NAT rule?   What is the session end reason? ... View more