I’m seeing timeouts during initial auth against ad.  Clearpass trues dcerpc
on port 49195 but the fw sees it like clearpass is trying to reuse some old
tcp session and doesn’t allow it even though have allow all or even tried
pet based rules with all the ports specified from Aruba docs.   After the
timeout clearpass does new connection but on 135 and then things bind and
auth flows good. Also after that it can and does use the dynamic port range
from 49159 and up.  So it’s the first initial connection that fw doesn’t
like because it thinks it’s trying to reuse same tcp session but once the
flow is good all the ports work and auth good.

Anyone with palo have any insights on where or what to look at to allow
these initial connections.   I can’t believe clearpass is really trying to
resuse some tcp session that was 12+hrs old from previous day



On Wed, Nov 6, 2019 at 7:57 AM Michael Davis <da...@udel.edu> wrote:

> What PanOS version?  We saw one case where the palo was delivering
> fragments in
> reverse order which wasn't technically incorrect, but some devices didn't
> like it.
>
>
> On 11/5/19 6:32 PM, Hurt,Trenton W. wrote:
>
> Hello
>
> Any folks using clearpass for radius auth against AD with a palo fw in
> between?   Have all the correct ports opened but still seeing some timeouts
> randomly during auth.
>
> Trent Hurt
>
> University of Louisville
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
>
>
> --
>  Mike Davis
>  IT - University of Delaware  - 302.831.8756
>  Newark, DE  19716         Email da...@udel.edu
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Reply via email to