I’m seeing timeouts during initial auth against ad. Clearpass trues dcerpc on port 49195 but the fw sees it like clearpass is trying to reuse some old tcp session and doesn’t allow it even though have allow all or even tried pet based rules with all the ports specified from Aruba docs. After the timeout clearpass does new connection but on 135 and then things bind and auth flows good. Also after that it can and does use the dynamic port range from 49159 and up. So it’s the first initial connection that fw doesn’t like because it thinks it’s trying to reuse same tcp session but once the flow is good all the ports work and auth good.
Anyone with palo have any insights on where or what to look at to allow these initial connections. I can’t believe clearpass is really trying to resuse some tcp session that was 12+hrs old from previous day On Wed, Nov 6, 2019 at 7:57 AM Michael Davis <[email protected]> wrote: > What PanOS version? We saw one case where the palo was delivering > fragments in > reverse order which wasn't technically incorrect, but some devices didn't > like it. > > > On 11/5/19 6:32 PM, Hurt,Trenton W. wrote: > > Hello > > Any folks using clearpass for radius auth against AD with a palo fw in > between? Have all the correct ports opened but still seeing some timeouts > randomly during auth. > > Trent Hurt > > University of Louisville > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > > > -- > Mike Davis > IT - University of Delaware - 302.831.8756 > Newark, DE 19716 Email [email protected] > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
