About kgopichand

@DanielBostock  Ok , lets look into this further. If you want , you could open a ticket and one of us will investigate.                                     One thing I noticed is the user attribute that is specified .     You specified  "sAMaccount" . It is supposed to be "sAMAccountName".                Can you please change this entry to  "sAMAccountName" and repeat your tests .     Second point : If you  repeat the command "show user user-attributes user all" a number of times, what attribute do you see for the "Primary user" . Do the primary user attribute always show "sAMAccountName" or does it fluctuate between "sAMAccountName" and "userPrincipalName".           Regards Kavi   ... View more

@DanielBostock  Just wondering if this document would help. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpsCAC     Kavi ... View more

Q1 ) Tunnel monitor is Palo Alto proprietary and as far as I know it should be use between Palo Alto peers to work optimally, am I right? Yes , tunnel monitor is Palo Alto Networks proprietary protocol. Please see this link for more details. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK#:~:text= Q2 ) Considering this if having a VPN between Palo Alto device and another vendor device, would path monitoring for a static route work similar than tunnel monitor? In essence , the goal of path monitoring and tunnel monitoring are the same , but there are some differences. In Path Monitoring , If “all” or “any” of the monitored destinations for the static route are unreachable by ICMP, the firewall removes the static route from the RIB and FIB and adds the dynamic or static route that has the next lowest metric going to the same destination to the FIB. There are two possible actions that can be taken if a monitored destination fails with tunnel monitoring. 1) Wait recover. Wait for the tunnel to recover; do not take additional action. 2) Failover.Traffic will fail over to a backup path, if one is available. The firewall uses routing table lookup to determine routing for the duration of this session.   Q) My idea is that sourcing the path-monitoring pings from the tunnel IP to remote peer´s IP could keep the tunnel up like tunnel monitoring does. (Not having the firewall in passive mode of course) The function of Path monitoring and Tunnel monitoring is not to keep the “tunnel up” . It is used to just monitor if a destination is reachable or not.   If you still have any questions, please open a support ticket and one of us will help you. Kavi   ... View more

Hello Hafeezy2j    Has this problem been resolved. If the problem is not resolved, let us know and we can help. As others have suggested , a packet capture would be a good place to start . If the Packet capture does not help, if you open a ticket with TAC , we can help take a deeper look into what is going on.   Kavi ... View more

Hello Juan Has this problem been resolved. ? If the problem is not resolved , please provide the output of these two commands show user ip-user-mapping-mp all show user ip-user-mapping all   Kavi   ... View more

Hello  Did you get an answer to your question. If you are still experiencing packet loss during tunnel failover, please open a support ticket. A review of the details will be helpful in answering your question.   Kavi ... View more

Hello JP This document should help answer your question. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHFCA0   If you have any further questions after following this document , please open a support ticket.   Kavi ... View more