Using Symantec VIP Enterprise Gateway with Palo Alto VPN authentication. Users are prompted to authenticate at least twice. The user failures are seen in the VIP EG logs as:

reason=40; Invalid Access-Challenge
reason=47; Invalid Input

The following information is provided by the Palo Alto support team:

When connecting using the GlobalProtect client, users face two authentications: 1) authentication for the portal and 2) authentication to the gateway. By default, the Palo Alto (PAN) firewall attempts to use the same credentials provided for the portal again for the gateway. If LDAP authentication is in use for both the portal and the gateway, users are prompted for credentials only once and believe that only one authentication has happened.

However, if end-users are using OTP tokens (hard tokens, VIP Access soft token), this default behavior may not work. Why? Once the user enters their OTP into the portal to authenticate, the firewall will cache that OTP and attempt to send it again to the VIP Radius server during authentication to the gateway. OTPs are single-use only. The cached OTP sent to VIP will fail with an Access-Reject message. This forces the firewall to prompt the user to re-enter their credentials to authenticate to the gateway. If the user attempts to use the same OTP again, that attempt too will fail. The overall behavior seen in the Palo Alto and VIP logs is multiple successes, retries, and failures during user login attempts.

Please consult your Palo Also GlobalProtect support team for specific instructions on how to Enable Two-Factor Authentication Using One-Time Passwords (OTPs) for your organization's version of Global Protect.

Per the Palo Alto support site, enabling Authentication Override cookies will generate and install an authorization cookie on the user’s machine once they successfully authenticate to the portal. During authentication to the gateway, the cookie will be used instead of prompting the user for credentials again.

- For the portal, enable only the generate cookie for authentication override option. Do not enable "Accept cookie for authentication override". This way, users will always be prompted to authenticate when connecting to the portal.
- On the GlobalProtect gateway, enable only accept cookies and set the cookie lifetime to the minimum (one minute).