Why GlobalProtect authentication request is not sent to the next server listed in a radius server profile
39809
Created On 12/08/19 07:12 AM - Last Modified 06/29/23 03:49 AM
Question
Why authentication request for GlobalProtect is not sent to the next server listed in the radius server profile?
In the authd logs, it can be seen that authentication requests sent to the first radius sever times out and subsequent request is not sent to the next server listed in the server profile resulting in authentication failure.
Below is a sample output from authd logs using radius server in the authentication profile "radius":
> tail follow yes mp-log authd.log 2019-12-03 00:10:42.447 -0800 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "radius", vsys: "vsys1", policy: "", username "xxxx"> ; timeout setting: 25 secs ; authd id: 6761196628998095063 2019-12-03 00:10:42.448 -0800 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "xxx" with <profile: "radius", vsys: "vsys1"> 2019-12-03 00:10:42.448 -0800 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:230): username: xxxx 2019-12-03 00:10:42.448 -0800 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:390): RADIUS request type: PAP 2019-12-03 00:11:07.815 -0800 debug: pan_auth_response_process(pan_auth_state_engine.c:4523): Auth FAILED for user "xxxx" thru <"radius", "vsys1">: remote server 172.16.59.35 of server profile "radius" is down, or in retry interval, or request timed out (elapsed time 25 secs, max allowed 25 secs) 2019-12-03 00:11:07.815 -0800 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'xxxx' (exp_in_days=0 (-1 never; 0 within a day))(authd_id: 6761196628998095063) (return domain 'xxxx')
Environment
The radius server profile used in the GlobalProtect authentication profile has multiple servers listed.
GP Portal:
Authentication profile:
Radius server profile:
Answer
The above behavior is seen due to the default timeout of GloablProtect which is 30 seconds, which in turn makes the default authentication timeout 25 seconds.
Authentication time out is calculated as ( GlobalProtect timeout - 5 ).
The GlobalProtect timeout should be the same as or greater than the total time that any server profile allows for connection attempts. The total time in a server profile is the timeout value multiplied by the number of retries and the number of servers.
The radius server profile from the previous section has timeout value of 56 seconds (7x4x2).
Use the below command to increase the GlobalProtect timeout to 60 seconds in order to allow authentication to continue with the second server:
# set deviceconfig setting global-protect timeout ? <value> <3-150> timeout in seconds for global-protect gateways # set deviceconfig setting global-protect timeout 60 #commit # show deviceconfig setting global-protect global-protect { timeout 60; }
Authentication time out increases to 55 seconds.
After the first authentication request times out, authentication continues with the second server and does not result in PAN_AUTH_FAILURE.
Below is a sample output from authd logs using radius:
debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "radius", vsys: "vsys1", policy: "", username "xxxx"> ; timeout setting: 55 secs ; authd id: 6761196628998095076 debug: pan_auth_response_process(pan_auth_state_engine.c:4523): Auth FAILED for user "xxxx" thru <"radius", "vsys1">: remote server 172.16.59.35 of server profile "radius" is down, or in retry interval, or request timed out (elapsed time 39 secs, max allowed 55 secs) debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "xxxx" with <profile: "radius", vsys: "vsys1"> debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:230): username: xxxx debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:390): RADIUS request type: PAP
Additional Information
GlobalProtect default timeout can not be seen using the below command unless it is modified or reset to the default value again:
# show deviceconfig setting global-protect