05-07-2012 08:21 AM
Hi, All,
I have a hopefully quick question regarding my Palo Alto 5050 firewall pair; whenever I go to log in via SSH, I get a delay of approximately 5-10 seconds before I am actually prompted for a password. Is this normal? This is more of a nuisance than anything causing a problem, however it is begining to bother me because I am logging into these devices somewhat frequently. I seem to remember that when I first set these up, that I would get prompted immediately. I took a quick look at the logs and I don't see anything that would suggest why a delay is being caused in my being prompted for a password. Has anybody seen this symptom before?
Thank-you so much,
Dan Sullivan
05-07-2012 11:56 PM
The delay of 5-10 seconds before you can login is most likely caused by incorrect dns settings on your server and/or lack of reverse lookup (PTR-record) for the ip address your client uses.
So to fix this:
1) Verify that the ip your client uses (or rather the ip your PA box will see in case you have NAT on the road) have a PTR-record in your DNS-servers.
dig -x <ipaddress>
or if you wish to do this manually (where the ip is A.B.C.D)
dig D.C.B.A.in-addr.arpa
2) Verify that your PA box uses your DNS servers in its settings.
3) Verify that your PA box can reach your DNS servers (and if not fix with service route configuration - not uncommon that you need to change dns traffic from mgmtplane to use dataplane rather than mgmtinterface).
05-07-2012 09:17 AM
I see a delay on my 2050 when the management process is running high.
05-07-2012 01:47 PM
Hi Dan,
Yes, it can be high management causing the prompt to delay.
Check the output for the following CLI comand:-
>show system resources follow
Look for the swap usage and also the the following processes:-
mgmtsrv
devsrv
Regards,
Parth
05-07-2012 11:56 PM
The delay of 5-10 seconds before you can login is most likely caused by incorrect dns settings on your server and/or lack of reverse lookup (PTR-record) for the ip address your client uses.
So to fix this:
1) Verify that the ip your client uses (or rather the ip your PA box will see in case you have NAT on the road) have a PTR-record in your DNS-servers.
dig -x <ipaddress>
or if you wish to do this manually (where the ip is A.B.C.D)
dig D.C.B.A.in-addr.arpa
2) Verify that your PA box uses your DNS servers in its settings.
3) Verify that your PA box can reach your DNS servers (and if not fix with service route configuration - not uncommon that you need to change dns traffic from mgmtplane to use dataplane rather than mgmtinterface).
05-08-2012 07:56 AM
Hi,
This is what I needed; the problem was that I had entered an explicity deny any any policy at the end so that all dropped packets would be logged; I needed to add an additional policy that allowed all traffic from 'outside' to 'outside' so that the firewall could resolve DNS properly.
Thank-you,
Dan Sullivan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
