User Authentication Fails with Secondary Kerberos Server in a Kerberos Server Profile

Overview

Multiple Kerberos servers can be configured in a Kerberos Server Profile for user authentication. A secondary Kerberos server, for example, can be specified for redundancy in case of primary server outage.

Issue

The Palo Alto Networks firewall only accesses the first Kerberos server. Authentication fails with the secondary Kerberos server during an outage of the first server.

Symptom

Authentication to secondary Kerberos server fails with "timed out" response from the server.

Example of authd.log output:

Nov 21 16:42:30 Error: pan_auth_send_rcv_msg(pan_auth_msg.c:90): Timed out waiting for response from authd (0) (No such file or directory)

Nov 21 16:42:30 pan_auth_send_rcv_msg(pan_auth_msg.c:119): Debug : Received 0 bytes from authd

Nov 21 16:42:30 Error: pan_auth_authenticate_user_str(pan_auth_msg.c:569): Failed to authenticate user user001

Cause

It takes 4 seconds until the firewall authentication function queries the secondary Kerberos server. The default l3-service timeout is 3 seconds, which is shorter than the time needed to query the secondary server. Thus, the l3-service gives up before it receives a response from secondary Kerberos server.

Resolution

Change l3-service timeout value with the commands below.

> configure

# set deviceconfig setting l3-service timeout <value>

# commit

The default for <value> is 3 and the range is from 3 to 30. Test authentication with a value of 5 and adjust as needed.

owner: tshimizu