Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2371
Views
0
Helpful
3
Replies

Duo breaks after upgrading Palo Alto Firewalls to PANOS 8.1.7

mjaremia
Level 1
Level 1

‎05-23-2019 04:54 AM

We have updated a pair PA-5020’s in our Data Center to PANOS 8.1.7. Duo is no longer working. Has any one else had a similar issue.

What is odd is when we login to the Palo we get a Duo push notification. After hitting approve the username/password disappear on the Palo login page and in red “invalid username and or password” pops up. In the Duo logs we can see where the auth starts and validates the user logging in, shows that the push was approved and that access was granted and then there are two disconnect statements due to “Attempt to bindRequest multiple times in the same LDAP connection. Disconnecting.” (Please note IP’s have been replaced with xxx.xxx.xxx.xxx and the username has also been removed and replaced with user.name)

Line 71351: 2019-05-17T14:01:00-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from xxx.xxx.xxx.xxx:50877] Got preauth result for user.name: u’auth’
Line 71355: 2019-05-17T14:01:04-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from xxx.xxx.xxx.xxx:50877] Duo authentication returned ‘allow’: ‘Success. Logging you in…’
Line 71356: 2019-05-17T14:01:04-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from xxx.xxx.xxx.xxx:50877] Success. Logging you in…
Line 71358: 2019-05-17T14:01:04-0400 [DuoAutoLdapServer,17,xxx.xxx.xxx.xxx] [Request from xxx.xxx.xxx.xxx:50877] Attempt to bindRequest multiple times in the same LDAP connection. Disconnecting.
Line 71358: 2019-05-17T14:01:04-0400 [DuoAutoLdapServer,17,xxx.xxx.xxx.xxx] [Request from xxx.xxx.xxx.xxx:50877] Attempt to bindRequest multiple times in the same LDAP connection. Disconnecting.

I was able to find a forum post about adding the command “allow_unlimited_binds=true” to [ldap_server_auto] section of the authproxy.cfg file. We added this to the config file and it still doesn’t work as well the logging behavior has changed. Below are the logs when attempting to access the updated Firewalls with Duo after this config change

2019-05-22T15:53:06-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from xxx.xxx.xxx.xxx:33783] Duo authentication returned ‘allow’: ‘Success. Logging you in…’
2019-05-22T15:53:06-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from xxx.xxx.xxx.xxx:33783] Success. Logging you in…
2019-05-22T15:53:06-0400 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/auth>
2019-05-22T15:53:06-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x03065330>
2019-05-22T15:53:06-0400 [_ADServiceClientProtocol,client] [Request from xxx.xxx.xxx.xxx:33783] Cannot find username
2019-05-22T15:53:06-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x03065330>
2019-05-22T15:53:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x0305E350>
2019-05-22T15:53:07-0400 [_ADServiceClientProtocol,client] [Request from xxx.xxx.xxx.xxx:33783] Cannot find username
2019-05-22T15:53:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x0305E350>
2019-05-22T15:53:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x03091130>
2019-05-22T15:53:07-0400 [_ADServiceClientProtocol,client] [Request from xxx.xxx.xxx.xxx:33783] Cannot find username
2019-05-22T15:53:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x03091130>

This change has not stopped us from being able to login using Duo on all other PA not on PANOS 8.1.x. Has anyone else had this issue? We are also working with Palo TAC to see if it is a bug in PANOS. Just wanted to see if anyone in the Duo community has run into this issue and If you have and were able to fix this issue please share what you did to resolve it, or if you know we are missing something else required in the config file that would fix this please do share? We would like to move past this issue as upgrading is needed as PANOS 8.0 is going EOL.

Labels:
0 Helpful
3 Replies 3

mkorovesisduo
Level 4
Level 4

‎05-23-2019 06:23 AM

Hi there, please contact Duo Support to open a ticket regarding this issue.

0 Helpful

mjaremia
Level 1
Level 1

‎05-23-2019 10:01 AM

Thank you for the update I will call in and open a support case.

0 Helpful

rcrongeyer
Level 1
Level 1

‎05-28-2019 01:09 PM

We had this exact issue. What fixed it for us was to add this line to the auth proxy config:

allow_unlimited_binds=true

Once added we restarted the DUO Auth Proxy service and it started working again.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents