Receive 2 Login request for VPN connection everytime

Charles6 · ‎06-11-2019

I use DUO as the 2FA for the Palo Alto Networks GlobalProtect VPN connection.
When I connect to the VPN via GlobalProtect, I always receive 2 login requests. I need to approve the request twice each time.
Do you know how to change the setting to let me receive the 1 login request for every VPN connection?
Thank you.

mkorovesisduo · ‎06-11-2019

Which version of PAN-OS are you using? Did you recently upgrade PAN-OS?

Charles6 · ‎06-12-2019

I’m using Pan OS 8.1 which the firewall is new installed.

mkorovesisduo · ‎06-13-2019

Hey Charles, can you check the timeout and retry settings? Per this Knowledge Base article, this most often occurs when the timeout is too low and the number of retries is set too high. If this is indeed the case with your configuration, try changing your settings to a 60-second timeout and one retry.

Please let me know if this helps.

KevinMcDermott0758 · ‎06-14-2019

I’ve actually been seeing this with Cisco AnyConnect + Duo Radius Proxy too. I haven’t had too much time to dig into it but I did confirm the timeout and retry values were set to the recommended per Duo KB’s. I assumed it was AnyConnect / ASA skipping to ask the 2nd Radius server too quickly, then the person ends up with 2 pushes, but I checked the AAA Stats and the ASA has never actually asked the 2nd Radius server to authenticate.

Rleb · ‎06-17-2019

For PAN VPN there is two levels of auth. One is for the portal itself, the other is for the VPN connection. Remove DUO from one of those workflows.

Charles6 · ‎06-18-2019

Yes, you are right.
Finally I remove gateway authentication and it resume normal.
Thank you very much for all of your reply.
Cheers~