manage PAN device over a WAN, you might experience problems

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

manage PAN device over a WAN, you might experience problems

L1 Bithead

Problem:
If you try to manage PAN device over a WAN, you might experience problems.
By manage, I mean via the Web interface, via CLI or via Panorama.
The Web interface may not load
Or
login via CLI works fine.
However a command that returns a lot of data will fail. One good example is "show log system"
Or
"Failed to establish SSL connection to Panorama Server: xxx.xxx.xxx.xxx Port:3978 Retry: 100000"


Solution:
In my case I solved (bypassed) the issue by adding the Router as a "Trusted IP" in PAN’s device tab.
PAN OS 3.1.6


Some more explanation:

A  ASCI drawing:
PAN <--> VPN router <----------------> VPN Router <--> PC /Panorama

Default Ethernet MTU is 1500. A packet inside a VPN tunnel can carry smaller payload (smaller MTU).
MTU - Maximum Transmission Unit or Maximum transfer Unit.
PMTU - Path MTU


I believe this to be a PMTU problem:
SSL / SSH packets does not like fragmentation, as this interferes with the encryption.
The PAN device sends all of its SSL / SSH packets with DF (Don’t Fragment Flag).
When the MTU is larger than the VPN router can send without fragmentation, the router replies with an ICMP “need fragmentation”.
The PAN management interface ignores all traffic that is not trusted (Trusted IP).
Hence a PAN device may fail to establish PMTU as it will drop / ignore traffic that originates from WAN routers.
(This is not necessarily an error, but more like a hidden stumbling block. )

For those interested: RFC 1191 adds some better explanation.
There is also another documented workaround: https://live.paloaltonetworks.com/docs/DOC-1649

/ Paul M

2 REPLIES 2

Not applicable

I've seen this with many types of VPN interactions.  With a traditional Cisco remote access VPN installation, the typical process has the MTU of the client device's NIC set to 1300 bytes.  This typically resolves the fragmentation issue.

Tariq

Not applicable

For followup, I have three PA units distributed globally (NJ - 2x2050's, Rotterdam - 1x500 and Singapore - 1x500) and all are being centrally managed by Panorama.  Pushes do take a bit of time to process (when don't they Smiley Happy), but still usable.  I haven't run into any connectivity problems where the connections would fail or anything (at least not yet).

Tariq

  • 3647 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!