Palo Alto Global Protect for VPN is used as the firewall for VPN users. The requirement is to have VIP do the 2FA for the VPN users. When logging in as a user with username>password+secure_token would fail. Logins with just username>secure token would work. Logins with username>ldap_password would work.

AUDIT    "2015-12-11 16:46:50.463 GMT-0600"   ValidationEngine 0 18501 "text=Access DENIED [VSWebServiceClient] The security code does not meet policy requirements. Verify the security code you have entered. Also, ensure that both the RADIUS server and the RADIUS client shares the same Shared Secret, OTP length = 16, user=svip, bizCont=off ,reason=12" Thread-16696 VSValidationEngine.c
AUDIT    "2015-12-11 16:46:50.463 GMT-0600"   ValidationEngine 0 18501 "text=Access 0" Thread-16696 VSValidationEngine.c
AUDIT    "2015-12-11 16:47:20.353 GMT-0600"   ValidationEngine 0 0 "text=Access GRANTED 0x0: Success&tokenid=VSMT44516421, user=svip, bizCont=off ,reason=0&tokenid=VSMT44516421" Thread-16696 VSValidationEngine.c
AUDIT    "2015-12-11 16:47:20.353 GMT-0600"   ValidationEngine 0 0 "text=Access 0" Thread-16696 VSValidationEngine.c

Restarting the Symantec LDAP Directory Service fails with error 1067 and 1053 on the domain controller.

The backend server logs on the cloud show that the user is able to login with username & OTP, basically, 1 factor authentication. Logging in with the username & password+OTP fails with the above message.

We asked that VIP EGW 9.7 be installed after the server is rebooted.

VIP Enterprise Gateway 9.6.1

Steps to resolve issue.  

1. Reboot domain controller
2. Remove VIP EGW 9.6.1 from Add or Remove Programs.
3. Install VIP EGW 9.7 and complete the configuration for the userstore and validation server.
4. Run LDAP Sync