Overview
Multiple Kerberos servers can be configured in a Kerberos Server Profile for user authentication. A secondary Kerberos server, for example, can be specified for redundancy in case of primary server outage.
Issue
The Palo Alto Networks firewall only accesses the first Kerberos server. Authentication fails with the secondary Kerberos server during an outage of the first server.
Symptom
Authentication to secondary Kerberos server fails with "timed out" response from the server.
Example of authd.log output:
Nov 21 16:42:30 Error: pan_auth_send_rcv_msg(pan_auth_msg.c:90): Timed out waiting for response from authd (0) (No such file or directory)
Nov 21 16:42:30 pan_auth_send_rcv_msg(pan_auth_msg.c:119): Debug : Received 0 bytes from authd
Nov 21 16:42:30 Error: pan_auth_authenticate_user_str(pan_auth_msg.c:569): Failed to authenticate user user001
Cause
It takes 4 seconds until the firewall authentication function queries the secondary Kerberos server. The default l3-service timeout is 3 seconds, which is shorter than the time needed to query the secondary server. Thus, the l3-service gives up before it receives a response from secondary Kerberos server.
Resolution
Change l3-service timeout value with the commands below.
> configure
# set deviceconfig setting l3-service timeout <value>
# commit
The default for <value> is 3 and the range is from 3 to 30. Test authentication with a value of 5 and adjust as needed.
owner: tshimizu