<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: IBM registry via PaloAlto authentication fails in General Topics</title>
    <link>https://live.paloaltonetworks.com/t5/general-topics/ibm-registry-via-paloalto-authentication-fails/m-p/1257874#M126679</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/355373501"&gt;@moorthi.pongiannan&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="14"&gt;This is a classic issue when dealing with services hosted behind aggressive Content Delivery Networks (CDNs) like Akamai.&lt;/P&gt;
&lt;P data-path-to-node="14"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="15"&gt;Because IBM's registry (&lt;CODE data-index-in-node="58" data-path-to-node="15"&gt;cp.icr.io&lt;/CODE&gt;) uses Akamai for geo-location routing, its public IP addresses change constantly based on load balancing and location.&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="16"&gt;By mapping a static IP to &lt;CODE data-index-in-node="26" data-path-to-node="16"&gt;cp.icr.io&lt;/CODE&gt;, you essentially froze the destination IP in place, ensuring the firewall and the client are always aligned.&lt;/P&gt;
&lt;P data-path-to-node="16"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="17"&gt;The risk with the static fix is that&amp;nbsp;if Akamai deprecates, rotates, or changes that specific IP on IBM's backend, your container registry connection will break completely.&lt;/P&gt;
&lt;P data-path-to-node="17"&gt;Instead, consider tweaking FQDN refresh times to it queries the DNS more aggressively to keep up with Akamai's changes.&lt;/P&gt;
&lt;P data-path-to-node="17"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="17"&gt;Best,&lt;/P&gt;</description>
    <pubDate>Wed, 01 Jul 2026 15:05:50 GMT</pubDate>
    <dc:creator>kiwi</dc:creator>
    <dc:date>2026-07-01T15:05:50Z</dc:date>
    <item>
      <title>IBM registry via PaloAlto authentication fails</title>
      <link>https://live.paloaltonetworks.com/t5/general-topics/ibm-registry-via-paloalto-authentication-fails/m-p/1257807#M126673</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;
&lt;DIV&gt;
&lt;P&gt;Here's a polished rewrite:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Just wondering if anyone has come across an IBM Container Registry authentication issue where the registry traffic is routed through PaloAlto Akamai geo-location edge servers (for example, &lt;CODE&gt;cp.icr.io&lt;/CODE&gt;).&lt;/P&gt;
&lt;P&gt;I experienced intermittent authentication failures where the login process would hang and never complete. After some investigation, I found that adding a static entry for &lt;CODE&gt;cp.icr.io&lt;/CODE&gt; (pointing it to a specific IP address, &lt;CODE&gt;xxx.xxx.xxx.xxx&lt;/CODE&gt;) resolved the issue and authentication started working consistently.&lt;/P&gt;
&lt;P&gt;Has anyone seen similar behavior or identified a root cause related to Akamai edge servers, DNS resolution, or geo-location routing?&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;host cp.icr.io&lt;BR /&gt;cp.icr.io is an alias for geo.icr.io.&lt;BR /&gt;geo.icr.io is an alias for geo.global.icr.io.akadns.net.&lt;BR /&gt;geo.global.icr.io.akadns.net is an alias for uk.icr.io.akadns.net.&lt;BR /&gt;uk.icr.io.akadns.net has address 158.176.193.128&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 30 Jun 2026 13:01:14 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/general-topics/ibm-registry-via-paloalto-authentication-fails/m-p/1257807#M126673</guid>
      <dc:creator>moorthi.pongiannan</dc:creator>
      <dc:date>2026-06-30T13:01:14Z</dc:date>
    </item>
    <item>
      <title>Re: IBM registry via PaloAlto authentication fails</title>
      <link>https://live.paloaltonetworks.com/t5/general-topics/ibm-registry-via-paloalto-authentication-fails/m-p/1257874#M126679</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/355373501"&gt;@moorthi.pongiannan&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="14"&gt;This is a classic issue when dealing with services hosted behind aggressive Content Delivery Networks (CDNs) like Akamai.&lt;/P&gt;
&lt;P data-path-to-node="14"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="15"&gt;Because IBM's registry (&lt;CODE data-index-in-node="58" data-path-to-node="15"&gt;cp.icr.io&lt;/CODE&gt;) uses Akamai for geo-location routing, its public IP addresses change constantly based on load balancing and location.&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="16"&gt;By mapping a static IP to &lt;CODE data-index-in-node="26" data-path-to-node="16"&gt;cp.icr.io&lt;/CODE&gt;, you essentially froze the destination IP in place, ensuring the firewall and the client are always aligned.&lt;/P&gt;
&lt;P data-path-to-node="16"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="17"&gt;The risk with the static fix is that&amp;nbsp;if Akamai deprecates, rotates, or changes that specific IP on IBM's backend, your container registry connection will break completely.&lt;/P&gt;
&lt;P data-path-to-node="17"&gt;Instead, consider tweaking FQDN refresh times to it queries the DNS more aggressively to keep up with Akamai's changes.&lt;/P&gt;
&lt;P data-path-to-node="17"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="17"&gt;Best,&lt;/P&gt;</description>
      <pubDate>Wed, 01 Jul 2026 15:05:50 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/general-topics/ibm-registry-via-paloalto-authentication-fails/m-p/1257874#M126679</guid>
      <dc:creator>kiwi</dc:creator>
      <dc:date>2026-07-01T15:05:50Z</dc:date>
    </item>
  </channel>
</rss>

