Once I buckled down and started seriously focusing on it, it started coming together. Piece by agonizing piece.
It was actually a good re-introduction to troubleshooting, dissecting the problem, and improvising.
OK, The Barracuda guy showed me how to get Wireshark captures from the firewall, but I lost that command...
OK, the Duo dashboard shows no auth attempts getting that far.
OK, the Duo VM has no UI, so I have to figure out old-school ways to see what's happening.
OK, if I look deeply at the Duo log, I can see that the LDAP / AD connection is failing.
OK, if I enable and look at the Duo VM firewall logs, I can see who is trying to talk to who.
OK, if I check the security event log on one of the DCs that is not responding, I can see what's up with the auth attempt.
OK, if I check the sub-code on the event, I see its a bad ID or password.
OK, if I check the sub-sub-code on the event, I see its an unknown ID.
OK, if I compare the Duo log and the Event, I see I can't tell the difference between _ and -.
OK, if I flip back to my 8th buried window, I see that 'some dumbass' forgot to restart the Duo auth service.
etc, etc, and so on....