M100 - incorrect Message Authentication Code

Reply
Highlighted
L4 Transporter

M100 - incorrect Message Authentication Code

I have the following setup: A VM100 that has multiple VLANs, for example LAN, Guest and DMZ. In the DMZ are some https websites, hosted on VM's on the same VM server as the M-100.

Everything is working as expected, so internet, DHCP, DNS etc. is all working fine.

However, when connected to the LAN, surfing to a https website in the DMZ results in:

Secure Connection Failed

          An error occurred during a connection to 10.0.0.49:8000.

SSL received a record with an incorrect Message Authentication Code.

(Error code: ssl_error_bad_mac_read)

I have this from both the LAN and the DMZ, and all https sites in my DMZ. When I put my PC in the DMZ, the sites work, so the PA is the problem.

More info:

Eth1: Internet

Eth2: LAN

Eth3.4=DMZ

Eth3.5=Guest

tested in PANOS 5.0.5 and 5.0.6, same issue

The PA has valid licenses.

No drops in the monitor.

Tested with different browsers

No SSL decryption policy at all

First tried with all port groups in promisc allow mode, same issue.

Took PA mac addresses and manually entered them on the VM interfaces (took into account that the first interface is the mgmt port)., same issue.

Turned promisc off on all port groups, same issue.

Kind regards,

Bob

L3 Networker

Re: M100 - incorrect Message Authentication Code

Hi Bob, if your not using decryption on the PA its likely that its not the firewall causing this. What happens when you browse to the site from a system on the same network segment that does not traverse the PA?

Did the VM hosting the site move to a different ESX recently? I've seen the certs get screwed up after moving a VM and having to re-install the cert locally.

L4 Transporter

Re: M100 - incorrect Message Authentication Code

As in my original post: When I put my PC in the DMZ (so directly connected), the sites work, so the PA is the problem.

The VM's did not move, the only thing that was changed was the migration from a physical PA to a M-100.

L3 Networker

Re: M100 - incorrect Message Authentication Code

Got it, I must have missed that part..Are you nating when going between zones? Is 10.0.0.49 the IP of the server you are connecting to or the ip of the PAN?

L4 Transporter

Re: M100 - incorrect Message Authentication Code

10.0.0.0/24 is the DMZ, so the IP 10.0.0.49 is one of the servers. The message says port 8000, but it is the same for https sites on port 443.

Except for the HideNAT to the internet, there is no NAT between subnets. I have just tested with an app override, just to disable all checks and scanning, same result.

I wonder if this a Palo Alto or VM (or combination) problem.

L4 Transporter

Re: M100 - incorrect Message Authentication Code

Okey I got it working now, but I am absolutely clueless as to why.

I removed the eth3.4 interface, and put the same config on eth4. In the VM settings, I attached the DMZ-vlan to the PA interface eth4.

I am now able to connect to all my https websites.

Perhaps I should create a support case for this.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!