Global Protect Authentication Timing Out Before Configured Radius Server Timeout

Global Protect Authentication Timing Out Before Configured Radius Server Timeout

12347
Created On 06/24/19 21:57 PM - Last Modified 06/02/20 01:42 AM


Symptom
  • Global Protect Portal/Gateway Authentication Profile is using RADIUS
  • RADIUS Server is using MFA. 
  • RADIUS Server timeout is set to 40 seconds with 2 retries (effective timeout of 120 Seconds)
  • Global Protect User Connects and doesn't complete the authentication process quickly. 
  • Authentication timeout occurs at 30 seconds. 


Environment
  • Global Protect
  • RADIUS Servers


Cause
  • global-protect timeout defaults to 30 seconds.
  • If global-protect timeout lower than RADIUS server profile timeout/retries, the lower value will be used to timeout the authentication. 
  • The timeout value is the timeout between Global Protect Client and firewall's Global Protect Portal/Gateway web-server. 


Resolution
  • Increase the global-protect-timeout value to be greater than the desired RADIUS authentication timeout. 
>configure
# set deviceconfig setting global-protect timeout 120
#commit


Additional Information
How To Modify The Tunnel Keepalive For GlobalProtect Clients
 


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMD5&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language