Duo RD Gateway - "There was an error communicating with the Duo authentication server"

Getting weird connectivity issues with RD Gateway. We have installed both RD Web and RD Gateway modules on the server. When you connect to the RD Web site, all works fine and we get the push notification. When we connect to the RD gateway, it says “Initiating remote connection” for 5 to 6 seconds and then denies the connection (we have the FailOpen setting set to 0). In the Application event logs, it says “There was an error communicating with the Duo authentication server”.

I’ve tested and all connectivity looks good (have followed the instructions in https://help.duo.com/s/article/1336?language=en_US). Also, the fact the RD Web application works okay shows the communication is there.

I have also rebuilt the server (in AWS) and reinstalled the applications and it’s the same - totally stumped as to what the issue is - can anyone help?

In case any one reads this, this appears to be something to do with the Palo Alto firewall at the perimeter. Although there are no indications of anything being blocked in the logs, and indeed we allowed all outgoing HTTPS traffic, when I bypassed the PAN and went straight to the AWS internet gateway and everything worked.

If I get more info, I will add here, but the fix might be to bypass the Palo Alto just for the Duo API external IP.