topic Re: M100 - incorrect Message Authentication Code in General Topics

M100 - incorrect Message Authentication Code

${userLoginName} — Tue, 13 Aug 2013 21:47:11 GMT

I have the following setup: A VM100 that has multiple VLANs, for example LAN, Guest and DMZ. In the DMZ are some https websites, hosted on VM's on the same VM server as the M-100.

Everything is working as expected, so internet, DHCP, DNS etc. is all working fine.

However, when connected to the LAN, surfing to a https website in the DMZ results in:

Secure Connection Failed

An error occurred during a connection to 10.0.0.49:8000.

SSL received a record with an incorrect Message Authentication Code.

(Error code: ssl_error_bad_mac_read)

I have this from both the LAN and the DMZ, and all https sites in my DMZ. When I put my PC in the DMZ, the sites work, so the PA is the problem.

More info:

Eth1: Internet

Eth2: LAN

Eth3.4=DMZ

Eth3.5=Guest

tested in PANOS 5.0.5 and 5.0.6, same issue

The PA has valid licenses.

No drops in the monitor.

Tested with different browsers

No SSL decryption policy at all

First tried with all port groups in promisc allow mode, same issue.

Took PA mac addresses and manually entered them on the VM interfaces (took into account that the first interface is the mgmt port)., same issue.

Turned promisc off on all port groups, same issue.

Kind regards,

Bob

Re: M100 - incorrect Message Authentication Code

jteetsel — Tue, 13 Aug 2013 22:33:39 GMT

Hi Bob, if your not using decryption on the PA its likely that its not the firewall causing this. What happens when you browse to the site from a system on the same network segment that does not traverse the PA?

Did the VM hosting the site move to a different ESX recently? I've seen the certs get screwed up after moving a VM and having to re-install the cert locally.

Re: M100 - incorrect Message Authentication Code

${userLoginName} — Wed, 14 Aug 2013 06:03:03 GMT

As in my original post: When I put my PC in the DMZ (so directly connected), the sites work, so the PA is the problem.

The VM's did not move, the only thing that was changed was the migration from a physical PA to a M-100.

Re: M100 - incorrect Message Authentication Code

jteetsel — Wed, 14 Aug 2013 16:32:03 GMT

Got it, I must have missed that part..Are you nating when going between zones? Is 10.0.0.49 the IP of the server you are connecting to or the ip of the PAN?

Re: M100 - incorrect Message Authentication Code

${userLoginName} — Thu, 15 Aug 2013 21:07:58 GMT

10.0.0.0/24 is the DMZ, so the IP 10.0.0.49 is one of the servers. The message says port 8000, but it is the same for https sites on port 443.

Except for the HideNAT to the internet, there is no NAT between subnets. I have just tested with an app override, just to disable all checks and scanning, same result.

I wonder if this a Palo Alto or VM (or combination) problem.

Re: M100 - incorrect Message Authentication Code

${userLoginName} — Fri, 16 Aug 2013 14:15:48 GMT

Okey I got it working now, but I am absolutely clueless as to why.

I removed the eth3.4 interface, and put the same config on eth4. In the VM settings, I attached the DMZ-vlan to the PA interface eth4.

I am now able to connect to all my https websites.

Perhaps I should create a support case for this.