Author: Bob Lin

Situation: After importing some users on DUO admin panel, the client doesn’t see the option to activate the duo mobile.

However, if he adds a user manually, he does see Activate Duo Mobile under Phones.

Resolution: Go to Duo admin panel > Users >, select affected username, then scroll down until you can see phone section.

After that please click the problematic phone number, then scroll down to setting and change type to the user’s mobile device OS type to Generic Smartphone and save.

Once you change the type of the user’s device, you should be able to send them a Duo activation link.

If your emails are getting stuck in the Outbox folder in Microsoft Outlook, there are several troubleshooting steps you can try to resolve the issue:

1. Check your internet connection: Ensure that you have a stable and active internet connection. Poor or intermittent connectivity can prevent emails from being sent.
2. Review email settings: Verify that your email account settings in Outlook are correctly configured. Check the server settings, ports, and authentication settings to ensure they match the requirements of your email provider. You may need to contact your email service provider for the correct settings.
3. Clear the Outbox: Sometimes, a corrupted email or attachment can cause emails to get stuck in the Outbox. Clearing the Outbox folder can help resolve this issue. Right-click on the Outbox folder and select “Empty Folder” or “Delete All”.
4. Disable add-ins: Add-ins in Outlook can sometimes interfere with the sending of emails. Try disabling any recently installed or suspicious add-ins to see if it resolves the problem. You can access the add-ins manager in Outlook’s settings or options menu.
5. Send/Receive manually: Instead of relying on automatic send/receive intervals, try manually sending the email. Click on the “Send/Receive” tab in the Outlook ribbon and then click “Send All” or press F9 to initiate a manual send/receive.
6. Check email size and attachments: Large attachments or emails with extensive content may take longer to send. If you’re sending large files, consider compressing them into a zip file or using cloud storage services for sharing links instead.
7. Update Outlook: Ensure that you have the latest updates installed for Microsoft Outlook. Updates often include bug fixes and improvements that can resolve issues like emails getting stuck in the Outbox.
8. Temporary disable antivirus/firewall: In some cases, security software or firewalls can interfere with email sending. Temporarily disabling these programs can help determine if they are the cause of the issue.

Q: We configured PA 850 firewall to use DUO for GloablProtect MFA. It works. However, we have an issue. In GloablProtect Gateway Configuration>Agent>Client Settings, if I add a user, for example blin. it works fine. If I add an AD OU, for example Employees, the login user will get two DUO approval popup twice.

From the DUO Authentication, I can see two Granted.

Why it works if I add a user manually one by one, but it popup for two MFA approvals if I add the group or UO to the Gateways?

Troubleshooting: If you configure DUO MFA on both the Portal and the Gateway,  you may want to enable Authentication cookies at all to avoid the double prompt.

To resolve this matter, please follow the step-by-step instructions provided below:

1. Go to Network > Global Protect > Gateways.
2. Locate the Gateway Profile and click on “Agent,” followed by “Client Settings.”
3. Select the “End Users Agent” and navigate to the “Authentication override” tab.

4. Ensure that both the “Generate cookie for authentication override” and “Accept cookie for authentication override” options are checked.

5. By default, the “Cookie Lifetime” is set to 8. Please verify this value and make adjustments if necessary.

6. Finally, select a “Certificate to Encrypt/Decrypt Cookie.”

7. Click OK and then Commit.

This is from PA support:

Please note that these changes need to be implemented on both the DUO MF VPN and End Users agents:

1. Navigated to: Network > GlobalProtect > Portals > Agent > Authentication.
2. Set the “Save User Credentials” option to “yes” per your request.
3. Verified that “Generate cookie for authentication override” is enabled under Authentication Override, while “Accept cookie for authentication override” is disabled.
4. Selected the certificate profile.
5. Adjusted the cookie lifetime to expire in 7 days.

Regarding the gateway, we made the following modifications:

1.Accessed: Network > GlobalProtect > Gateways > Agent > Client Settings > Authentication Override.
2. Ensured that “Generate cookie for authentication override” is disabled, and “Accept cookie for authentication override” is enabled.

Situation; The user can’t login GloablProtect.

Troubleshooting: We find the DUO Security sends a User lockout report email. We also see the Lockout notification on DUO Website

Login the DUO website and unlock it by check Active.

I configured DUO Proxy for GloablProtect MFA redundancy on our PA 850 firewall using Authentication Sequence. This post shows how I configured: Configure two duo proxy servers for Palo alto firewall MFA redundancy – Net/PC How to (howtonetworki…

The problem I have is when the top Authentication profile or DUO Proxy server is down, then the user can’t login to GloablProtect. The DUO Proxy server and PA authentication profile is not the issue because I can run the test command successfully.

test authentication authentication-profile <authentication-profile-name> username <username> password

Alos, if I move the second profile (DUO Authentication-2 in my example) to the top, it works.

The problem is if the top authentication DUO proxy server (DUO Authentication-2) is down, no one can’t login.  MONITOR>Logs>System doesn’t have authentication information. If I move the second authentication profile (DUO Authentication in my example) to the top, then it works again. I think it is Authentication Sequence problem but can’t figure out how to fix it.

Troubleshooting:

By default, GlobalProtect’s timeout is 30 seconds. If you setup timeout 30 (seconds) x 3 (retries), Authentication Sequence may not work or timeout.

You’ll need to adjust things a bit to account for the delay being introduced by the authentication sequence and the down host. This setting works for us.

On the first RADIUS Profile

On the second RADIUS Profile.

Please refer to this document:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBufCAG&lang=en_US%E2%80%A…

Situation: Some of client’s users can’t login their GloablProtect. When checking the Monitor>Logs>Traffic, they don’t see any users’ access information.

Troubleshooting: For troubleshooting VPN issue, it is better to check Monitor>Logs>System instead of Traffic. This post may help:

Can’t login GloablProtect with User is not in allowlist

Problem: We have PA firewall 440. We have added dropbox.com to OBJECTS>Custom Objects>URL Category and can login dropbox. However, can’t download files with these errors: .pdf files are supported but something went wrong or There was an error downloading your file.

Troubleshooting:

1. Login PA firewall.
2. Go to MONITOR>Logs>URL Filtering.
3. Add the source IP address, for our example ( addr.src in 192.168.10.10 ).
4. We can see ACTION block-url and URL for example previews.dropbox.com.

5. After we add previews.dropbox.com/, consent.dropbox.com/, we can download files from Dropbox.

Note: Dropbox uses a mix of random URL and includes across multiple domains.  Here are some exalples:

dropbox.com/
*.dropbox.com/
dropboxapi.com/
*.dropboxapi.com/
getdropbox.com/
*.getdropbox.com/
dropboxstatic.com/
*.dropboxstatic.com/
dropboxcaptcha.com/
*.dropboxcaptcha.com/

So, the best resolution is configuring a security rule. Please refer to this post:

Create a Policy to allow accessing Dropbox on PA Firewall

Situation: The GloableProtect VPN user can’t get authentication from DUO.

Troubleshooting: When we check the DUO authproxy.log, we see this message: User IP not provided. Authorized Networks policies will not work for this authentication.

Based on ChatGPT:

The error message “User IP not provided. Authorized Networks policies will not work for this authentication” indicates that the Duo proxy server is unable to determine the IP address of the client making the authentication request.

This issue can occur for a few reasons:

1. The client is not sending its IP address in the authentication request. This can happen if the client is behind a NAT or firewall that is not passing the IP address to the proxy server.
2. The proxy server is not configured to correctly handle the client’s IP address. This can happen if the proxy server is behind a load balancer or other network infrastructure that is not correctly forwarding the client’s IP address.

To resolve this issue, you can try the following:

1. Ensure that your client is configured to send its IP address in the authentication request. This may involve configuring your firewall or NAT to forward the IP address to the proxy server.
2. Configure the Duo proxy server to correctly handle the client’s IP address. This may involve configuring the proxy server to use an X-Forwarded-For header or another mechanism to obtain the client’s IP address.
3. If you are using a load balancer or other network infrastructure, ensure that it is correctly forwarding the client’s IP address to the Duo proxy server.

If none of the above steps resolve the issue, you may need to contact Duo Support for further assistance.

What we find is that the user’s phone notification is off. After having him to turn on the phone Notification, it works.

There can be various reasons for this error, such as network connectivity issues, incorrect configuration settings, or problems with the Duo Authentication Proxy service itself. To troubleshoot this issue, you can start by checking the log files for the Duo Authentication Proxy service and looking for any error messages or warnings. You can also verify that the configuration settings for the Duo Authentication Proxy are correct and that the Duo server is operational.

Situation: When attempting to access a RD server, you may receive this message: The task you are trying to do can’t be completed because Remote Desktop Services is currently busy.

Troubleshooting 1: It is out of the RD license.

Troubleshooting 2: Reset Stuck Client Remote Desktop Session on RDS

First of all, try to find and reset a session of the user who cannot logon to the RDS server.

Find a user in the Users tab of the Task Manager and click Log off in the context menu.

In most cases, it is enough to solve the problem. But sometimes we can find multiple hung sessions with the name (4) instead of a username in the Task Manager. As a rule, there will be 4 processes in a hung RDS user session:

• Client-Server Runtime Process (csrss.exe)
• Desktop Windows Manager (dwm.exe)
• Windows Logon Application (winlogon.exe)
• Windows Logon User Interface

To start with, try to reset all hung (4) RDS sessions in the Task Manager. If it does not help, it is better to reboot the server.

But this is often not possible, as it will affect other users’ sessions on the RDS host. So let us try to solve the problem without rebooting the host.

First, run the elevated command prompt and execute the command:

C:\>query session
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
rdp-tcp#5 bob 2 Active
console 3 Conn
7a78855482a04... 65536 Listen
rdp-tcp 65537 Listen

It will show all users and their remote sessions on the RDS host. There are 3 columns we need in the output: SESSIONNAME, USERNAME and ID.

Find the (4) user and the corresponding ID, in this example, it is ID 2. We must kill the csrss.exe process that is working in this session.

Now, display the list of the running process in the session ID we received earlier:

C:\>query process /id 2
USERNAME SESSIONNAME ID PID IMAGE
>system rdp-tcp#5 2 5140 csrss.exe
>system rdp-tcp#5 2 956 winlogon.exe
>umfd-2 rdp-tcp#5 2 2796 fontdrvhost.exe
>dwm-2 rdp-tcp#5 2 5888 dwm.exe

Find the csrss.exe process (check the IMAGE column) and its PID. In this case, the PID is 5140. We need to kill this process.

Now, open the Task Manager, go to the Details tab and find the PID and the process from the previous step.

If the PID we need corresponds to the csrss.exe process, kill the process by clicking End task in the context menu or by entering the following command in the command prompt:

taskkill /F /PID 5140

Do it for each (4) user if there are some of them.

Troubleshooting 3: Resetting an RDS User Session

If we were not able to log off a problem user in the Task Manager, we can try to reset an RDS user session from the command prompt:

First, open the command prompt as administrator and run the command:

query session

Copy the SESSIONNAME of the problem user.

Now enter:

reset session 

Specify the session name we have instead of .

Do it for each problem RDS user session. Then we may try to log on and a problem should not occur again.

Troubleshooting 4: RDSH server memory issue

A memory leak has been found on some Windows Server 2012 R2 RDSH servers. Over time, these servers begin to refuse both remote desktop connections and local console sign-ins with messages like the following:

The task you are trying to do can’t be completed because Remote Desktop Service is currently busy. Please try again in a few minutes. Other users should still be able to sign in.

Remote Desktop clients attempting to connect also become unresponsive.

To work around this issue, restart the RDSH server.

Also refer to these post:

Remote desktop services is currently busy

The task you are trying to do can’t be completed because remote desktop services is currently busy but not others when trying to access remote computer using remote desktop?