About CastawayKid

Some of my users get the message stating their GlobalProtect client was unable to contact the gateway immediately after authenticating on their Duo MFA app.  The interesting part is I have not been able to reduce this down to a machine problem.  I have both an iMac and a Windows 10 laptop on my desk here for testing.  I can sign into each of these devices with my user account and then successfully connect to the GlobalProtect gateway with my credentials.  I can then disconnect from GlobalProtect, and while still signed into those machines with my user account, have the problematic user try to connect to the GlobalProtect, upon which they get the same message about the gateway being unavailable.   The fact that the only thing which has changed in this scenario is which user account is being used in the GlobalProtect client is baffling.  I have already opened a case with Palo in the past about this, but they just kept wanting to blame missing updates on the Windows 10 clients.  This still has not addresses the above scenario I detailed.  The machine and the interactively signed in user profile has not changed.   Both my account and the problem account are members of the Domain Users security group and have their primary group membership set to Domain Users.  I am not filtering connections by security group as I have not been able to successfully configure that, so all Active Directory users are allowed to connect at this time.  Both my account and the problem account use Duo MFA.    I am at a loss trying to figure out what could possibly cause this problem at the account level.  The firewall's GlobalProtect log only shows these 3 entries for the problem user (parsed down for brevity): Status          Stage               Event                      Auth Method success       login                 portal-auth              radius success       login                 portal-gen-cookie   radius success       configuration    portal-getconfig      radius ... View more

We have two Aruba wireless controllers in a master / secondary configuration.  Each one has a trunk port which contains about a dozen VLANs with our guest wireless traffic.  The VLANs are arbitrarily assigned to the trunk ports by the controllers and can change depending on network conditions (from what I understand).  The PA-220 is the gateway for the private IP ranges assigned to each of those VLANs.   My question is can I directly connect those two trunk ports to the PA, or will I need an intermediate smart switch to aggregate the two trunks into a single cable that connects to the PA? ... View more

I am hitting an issue where sessions are ending for the reason "aged-out".  Go figure the problem doesn't present itself readily when I have Support on the line.   The Setup: I have two ISPs.  One (I'll call it SummitNet) is an asymmetrical 30Mbps up / 100Mbps down link.  This link handles our business traffic to sister campuses as well as the incoming Internet traffic to our public facing servers.  At the moment it is also the primary ISP for our clients.  There is no NAT in place on this link as all the servers and clients have public addresses.   The second (Charter) is a symmetrical gigabit link.  Because all but one of our public IP ranges are leased from another campus, we cannot simply change the existing advertised routes.  For this reason, I'm attempting to use PBF to send all new sessions from our clients out a NAT interface on this link.  The intention is to set the PBF rule for Symmetric Return so my servers can continue to reply to inbound Internet traffic on the SummitNet link without having to setup an inbound NAT on the Charter link.   My virtual router (I'm only using one) is set with the SummitNet default route having a metric of 10 and the Charter default route having a metric of 11.   With the setup out of the way, now I can present the problem.  I'm going to use YouTube streaming video as the example in these scenerios as it has been the most consistent in replicating the problem.  When I hook my workstation directly to the upstream Charter router, traffic flows as expected and YouTube plays high quality fine.  With my workstation back behind the firewall sending requests out the SummitNet link, YouTube plays fine with both decrypt and no-decrypt test scenerios.  If I send my traffic out the Charter link with the no-decrypt scenerio, YouTube still plays fine.  However, if I enable decryption on the Charter link, YouTube begins to drop quality of playback and eventually halts for buffering.  When it does this, I see the following results in the Traffic monitor log:   As you can see in the screenshot, a number of packets are exchanged in the session before the age-out occurs.    The firewall is a PA-3020.  The Charter link is basically idle as I only am testing a couple client machines on it at a time.  Does anyone have any ideas as to why this may be occuring?   ... View more