https://live.paloaltonetworks.com/t5/general-topics/manage-pan-device-over-a-wan-you-might-experience-problems/m-p/23888#M17401 <HTML><HEAD></HEAD><BODY><P>For followup, I have three PA units distributed globally (NJ - 2x2050's, Rotterdam - 1x500 and Singapore - 1x500) and all are being centrally managed by Panorama.&nbsp; Pushes do take a bit of time to process (when don't they <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />), but still usable.&nbsp; I haven't run into any connectivity problems where the connections would fail or anything (at least not yet).</P><P></P><P>Tariq</P></BODY></HTML> Wed, 26 Jan 2011 20:40:09 GMT rahmant 2011-01-26T20:40:09Z https://live.paloaltonetworks.com/t5/general-topics/manage-pan-device-over-a-wan-you-might-experience-problems/m-p/23886#M17399 <HTML><HEAD></HEAD><BODY><P><STRONG>Problem:<BR /></STRONG>If you try to manage PAN device over a WAN, you might experience problems.<BR />By manage, I mean via the Web interface, via CLI or via Panorama.<BR />The Web interface may not load <BR />Or <BR />login via CLI works fine. <BR />However a command that returns a lot of data will fail. One good example is "show log system"<BR />Or <BR />"Failed to establish SSL connection to Panorama Server: xxx.xxx.xxx.xxx Port:3978 Retry: 100000"</P><P><BR /><STRONG>Solution:<BR /></STRONG>In my case I solved (bypassed) the issue by adding the Router as a "Trusted IP" in PAN’s device tab.<BR />PAN OS 3.1.6</P><P><BR />Some more explanation:</P><P>A&nbsp; ASCI drawing:<BR />PAN &lt;--&gt; VPN router &lt;----------------&gt; VPN Router &lt;--&gt; PC /Panorama</P><P>Default Ethernet MTU is 1500. A packet inside a VPN tunnel can carry smaller payload (smaller MTU). <BR />MTU - Maximum Transmission Unit or Maximum transfer Unit.<BR />PMTU - Path MTU</P><P><BR />I believe this to be a PMTU problem:<BR />SSL / SSH packets does not like fragmentation, as this interferes with the encryption. <BR />The PAN device sends all of its SSL / SSH packets with DF (Don’t Fragment Flag). <BR />When the MTU is larger than the VPN router can send without fragmentation, the router replies with an ICMP “need fragmentation”.<BR />The PAN management interface ignores all traffic that is not trusted (Trusted IP).<BR />Hence a PAN device may fail to establish PMTU as it will drop / ignore traffic that originates from WAN routers. <BR />(This is not necessarily an error, but more like a hidden stumbling block. )</P><P></P><P></P><P>For those interested: RFC 1191 adds some better explanation.<BR />There is also another documented workaround: <A href="https://live.paloaltonetworks.com/docs/DOC-1649">https://live.paloaltonetworks.com/docs/DOC-1649</A></P><P></P><P>/ Paul M</P></BODY></HTML> Wed, 26 Jan 2011 13:17:25 GMT https://live.paloaltonetworks.com/t5/general-topics/manage-pan-device-over-a-wan-you-might-experience-problems/m-p/23886#M17399 pnotpub 2011-01-26T13:17:25Z https://live.paloaltonetworks.com/t5/general-topics/manage-pan-device-over-a-wan-you-might-experience-problems/m-p/23887#M17400 <HTML><HEAD></HEAD><BODY><P>I've seen this with many types of VPN interactions.&nbsp; With a traditional Cisco remote access VPN installation, the typical process has the MTU of the client device's NIC set to 1300 bytes.&nbsp; This typically resolves the fragmentation issue.</P><P></P><P>Tariq</P></BODY></HTML> Wed, 26 Jan 2011 20:38:02 GMT https://live.paloaltonetworks.com/t5/general-topics/manage-pan-device-over-a-wan-you-might-experience-problems/m-p/23887#M17400 rahmant 2011-01-26T20:38:02Z https://live.paloaltonetworks.com/t5/general-topics/manage-pan-device-over-a-wan-you-might-experience-problems/m-p/23888#M17401 <HTML><HEAD></HEAD><BODY><P>For followup, I have three PA units distributed globally (NJ - 2x2050's, Rotterdam - 1x500 and Singapore - 1x500) and all are being centrally managed by Panorama.&nbsp; Pushes do take a bit of time to process (when don't they <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />), but still usable.&nbsp; I haven't run into any connectivity problems where the connections would fail or anything (at least not yet).</P><P></P><P>Tariq</P></BODY></HTML> Wed, 26 Jan 2011 20:40:09 GMT https://live.paloaltonetworks.com/t5/general-topics/manage-pan-device-over-a-wan-you-might-experience-problems/m-p/23888#M17401 rahmant 2011-01-26T20:40:09Z