Why GlobalProtect authentication request is not sent to the next server listed in a radius server profile

Why GlobalProtect authentication request is not sent to the next server listed in a radius server profile

19771
Created On 12/08/19 07:12 AM - Last Modified 10/28/20 23:23 PM


Question
Why authentication request for GlobalProtect is not sent to the next server listed in the radius server profile?

In the authd logs, it can be seen that authentication requests sent to the first radius sever times out, and another request is not sent to the next server listed in the server profile resulting in authentication failure.

Below is a sample output from authd logs using radius server in the authentication profile "radius":
> tail follow yes mp-log authd.log

2019-12-03 00:10:42.447 -0800 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile:
 "radius", vsys: "vsys1", policy: "", username "xxxx"> ; timeout setting: 25 secs ; authd id: 6761196628998095063
2019-12-03 00:10:42.448 -0800 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "xxx"
 with <profile: "radius", vsys: "vsys1">
2019-12-03 00:10:42.448 -0800 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:230): username: xxxx
2019-12-03 00:10:42.448 -0800 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:390): RADIUS request type: PAP
2019-12-03 00:11:07.815 -0800 debug: pan_auth_response_process(pan_auth_state_engine.c:4523): Auth FAILED for user "xxxx" thru 
<"radius", "vsys1">: remote server 172.16.59.35 of server profile "radius" is down, or in retry interval, or request timed out
 (elapsed time 25 secs, max allowed 25 secs)
2019-12-03 00:11:07.815 -0800 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'xxxx'
 (exp_in_days=0 (-1 never; 0 within a day))(authd_id: 6761196628998095063) (return domain 'xxxx')


Environment
The radius server profile used in the GlobalProtect authentication profile has multiple servers listed.

GP Portal:

portal authentication tab

Authentication profile:

User-added image

Radius server profile:

User-added image


Answer
The above behavior is seen due to the default timeout of GloablProtect which is 30 seconds, which in turn makes the default authentication timeout 25 seconds.
Authentication time out is calculated as ( GlobalProtect timeout - 5 ).

The GlobalProtect timeout should be the same as or greater than the total time that any server profile allows for connection attempts. The total time in a server profile is the timeout value multiplied by the number of retries and the number of servers.
The radius server profile from the previous section has timeout value of 56 seconds (7x4x2).

Use the below command to increase the GlobalProtect timeout to 60 seconds in order to allow authentication to continue with the second server:
 
# set deviceconfig setting global-protect timeout ?
  <value>  <3-150> timeout in seconds for global-protect gateways
# set deviceconfig setting global-protect timeout 60
#commit
# show deviceconfig setting global-protect
global-protect {
  timeout 60;
}



Authentication time out increases to 55 seconds.
After the first authentication request times out, authentication continues with the second server and does not result in PAN_AUTH_FAILURE.

Below is a sample output from authd logs using radius:
 
debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "radius", vsys: "vsys1",
policy: "", username "xxxx"> ; timeout setting: 55 secs ; authd id: 6761196628998095076
debug: pan_auth_response_process(pan_auth_state_engine.c:4523): Auth FAILED for user "xxxx" thru <"radius", "vsys1">: remote server
172.16.59.35 of server profile "radius" is down, or in retry interval, or request timed out (elapsed time 39 secs, max allowed 55 secs)
debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "xxxx" with <profile: "radius", 
vsys: "vsys1">
debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:230): username: xxxx
debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:390): RADIUS request type: PAP


Additional Information
GlobalProtect default timeout can not be seen using the below command unless it is modified or reset to the default value again:

# show deviceconfig setting global-protect


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PNma&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language