Fixing Palo Alto Firewall Authentication Issues: Timeout

Situation: The client just configures MFA for their PA 850 Firewall and test works. However, they can’t login with timeout message:

Troubleshooting: in most cases, this is an authentication server is inaccessible issue. When we check DUO status, we find it was denied because of Location Unknow.

For a temporary solution, we enable Bypass on the DUO website.

Then we find the problem is the DUO app Notification was off. After turning it on, we can login PA 850 without any issues.

Online research suggestion it could be the Duo Mobile app to deactivate. Also make sure the account of DUO-PROTECTED had not been disabled on the DUO app.

Please refer to this post:

Fixing This CA Root certification is not trusted

Situation: The client has an error on their certification settings.

Resolution. Install the CA Root certification in the Trusted Root Certification Authorities store.

  1. Click on Install Certificate….
  2. Check Local Machine and then Next.

 

3.  Check Place all certificates in the following store and browse to Trusted Root Certification Authorities.

4. Click on Finish to Complete the Certificate Import Wizard.

5. make sure the CA Root certificate is listed in Trusted Root Certification. 

6. Double click it to make sure no more errors.

 

 

 

ADFS Error details: MSIS7012: An error occurred while processing the request

Situation: When accessing ADFS SSO website, for example https://ADFS.chicagotech.net/adfs/ls/IdpInitiatedSignon.aspx, you may receive this message:

SSO

An error occurred

The resource you are trying to access is not available. Contact your administrator for more information.

Error details

  • Activity ID: 42cb00xxxxxxxxxxxxxxxx
  • Error details: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
  • Node name: 53709axxxxxxxxxxxxxxx
  • Error time: Tue, 03 Jan 2023 17:36:52 GMT
  • Cookie: enabled
  • User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.46.

 

Troubleshooting:

Case 1: IdpInitiatedSignonpage could be disabled. Try this PowerShell command:

Set-AdfsProperties -EnableIdpInitiatedSignonpage $True

Case 2: Also check the certification for any errors. in our example, The CA Root certificate is not trusted.

Please refer to this post:

Multiple ways to access the Windows Recovery

Situation: In some cases, you may want to recovery a crashed Windows OS. You may have many options to do so.

  1. Normally, you can go to Settings>System>Recovery>Reset this PC>Reset PC.

However, in many situations, you may not be able to do that because the Windows Freezes or keyboard/mouse doesn’t work, or nothing is running.

2. With the device is powered off, press and hold the Windows Key and press the power button. Then release both keys.

3. If you can login, click the Power Button icon while hold the SHIFT Key and click Restart.

4. If you can access the Desktop, select Start>Power, and then press and hold Shift key while clicking Restart.

5. At the command prompt, run the Shutdown /r /o command.

6. Run this command: systemreset.exe

7. Boot from DVD or USB Recovery Media

1) Insert the recovery media into a USB port or a DVD drive, depending on the format you used to create the recovery media.

2) Power the computer off.

3) Power the computer on. At the Dell logo screen, tap the F12 key several times until you see Preparing one time boot menu in the top-right corner of the screen.

4) At the boot menu, select the device under UEFI BOOT that matches your media type (USB or DVD).

Lossing the connection on PA firewall after committing a new configuration

Situation: After committing a new configuration on PA 440 firewall, the client loses the Internet connection.

Troubleshooting:

  1. Cannot ping the firewall default gateway IP address.
  2. Still can access the Management IP. Go to DEVIC,>Operation, select Revert to last saved configuration or Load named configuration snapshot.

App Version Mismatch on Palo Alto Firewall High Availability

Situation: The client has Palo Alto 850 Firewall. The Dashboard> High Availability shows App Version, Threat Version and Antivirus Version Mismatch.

Troubleshooting:

  1. When we try to login Spare Unit Management IP, it is time out.
  2. Using console cable connecting to the console port, we see this information: EDAC MC0: 1 CE DIMM 0 rank 1 bank 10 row 97824 col 1016 on any memory page: 0x0 0ffset: 0x0 grain: 0 syndrom

Troubleshooting: 1. Hard reboot the unit.

2. Access the management and update the Dynamic Updates manually.

Cloud does not save the settings for RD Licensing. Error: Unable to set the license settings: “Invalid operation”

Situation:  When configuring the deployment on a RD server, you may receive an error: Cloud does not save the settings for RD Licensing. Error: Unable to set the license settings: “Invalid operation”.

Troubleshooting: If you configure the Deployment on a RDS server that includes only the RD Session Host role and the RD Licensing role, you will receive this error. you should run gpedit.msc on RD server to configure the Deployment on a RDS server that includes only the RD Session Host role and the RD Licensing role. 

You will use Configure the Deployment for configuring RD license on a RD server includes the RD Connection Broker role.

Fixing “Remote desktop licensing mode is not configured”

Situation: When troubleshooting RD license issue by using RD Licensing Diagnoser, you may receive this error: “Remote desktop licensing mode is not configured”

or this error may popup in System notification.

Troubleshooting 1: Configure licensing for an RDS deployment that includes only the RD Session Host role and the RD Licensing role

  1. Run gpedit.msc on RD server

2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.

3. Double-click on Use the specified Remote Desktop license servers, and then check Enabled and enter the RD server in License server to use

4. Double-click on Set the Remote Desktop licensing mode, and then check Enabled and select Per Device or Per User, as appropriate for your deployment.

Troubleshooting 2: Configure licensing for an RDS deployment that includes the RD Connection Broker role

  1. On the RD Connection Broker server, open Server Manager and then go to Remote Desktop Services > Overview

2. Click on Task and then select Edit Deployment Properties

3. Click on RD Licensing and configure RD Licensing mode and server.

Note: This is for configuring licensing for an RDS deployment that includes the RD Connection Broker role. If you configure licensing for an RDS deployment that includes only the RD Session Host role and the RD Licensing role using this mothed, you may receive an error: Cloud does not save the settings for RD Licensing. Error: Unable to set the license settings: “Invalid operation”.

Please view this step by step video: