PAN OS 5.0.0 "killing" remote connections

Reply
L3 Networker

PAN OS 5.0.0 "killing" remote connections

Hi

sorry for the "bad" title, bat that's whats actually happening.

I have a NAT rule translating the external interface IP to an internal server from Port 443 to 8443 (for OpenVPN) and to the same server for ssh (no port translation)

When I connect with OpenVPN to the VPN Server, it connects fine, but as soon as I have a certain amount of traffic (i.e. opening a webpage), the client drops the connection with:

----cut---

Nov 20 19:38:21: Authenticate/Decrypt packet error: packet HMAC authentication failed

Nov 20 19:38:21: Fatal decryption error (process_incoming_link), restarting

Nov 20 19:38:21: SIGUSR1[soft,decryption-error] received, process restarting

---cut---

I first assumed a problem on the VPN Server, but connecting to it bypassing the PA works perfectly fine.

I also tried configuring "Disable server response" in the security policy with no effect.

The above mentioned does not only kill my openvpn connections, but also does the same for a SSH connection to the same server (Error Message: HMAC Error, connection reset) as soon as there is some traffic on the connection (e.g. less a bigger log file)

Can anyone give me a hint where to dig deeper in order to find the problem?

Thanks

Andre

mne
Not applicable

Re: PAN OS 5.0.0 "killing" remote connections

do you have specific application policies other than the nat rule ? I would try to do some logging on the security policies and some packet caputure to see if and how the traffic passes through the pan..

L5 Sessionator

Re: PAN OS 5.0.0 "killing" remote connections

Auth failures could imply fragmented encrypted traffic with some missing fragments. PCAPs should help determine if this is the case. Also ensure that you do not have any zone protection profiles which block frags.

-Richard

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!