This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

manage PAN device over a WAN, you might experience problems

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

manage PAN device over a WAN, you might experience problems

pnotpub
L1 Bithead

‎01-26-2011 05:17 AM

Problem:
If you try to manage PAN device over a WAN, you might experience problems.
By manage, I mean via the Web interface, via CLI or via Panorama.
The Web interface may not load
Or
login via CLI works fine.
However a command that returns a lot of data will fail. One good example is "show log system"
Or
"Failed to establish SSL connection to Panorama Server: xxx.xxx.xxx.xxx Port:3978 Retry: 100000"


Solution:
In my case I solved (bypassed) the issue by adding the Router as a "Trusted IP" in PAN’s device tab.
PAN OS 3.1.6


Some more explanation:

A  ASCI drawing:
PAN <--> VPN router <----------------> VPN Router <--> PC /Panorama

Default Ethernet MTU is 1500. A packet inside a VPN tunnel can carry smaller payload (smaller MTU).
MTU - Maximum Transmission Unit or Maximum transfer Unit.
PMTU - Path MTU


I believe this to be a PMTU problem:
SSL / SSH packets does not like fragmentation, as this interferes with the encryption.
The PAN device sends all of its SSL / SSH packets with DF (Don’t Fragment Flag).
When the MTU is larger than the VPN router can send without fragmentation, the router replies with an ICMP “need fragmentation”.
The PAN management interface ignores all traffic that is not trusted (Trusted IP).
Hence a PAN device may fail to establish PMTU as it will drop / ignore traffic that originates from WAN routers.
(This is not necessarily an error, but more like a hidden stumbling block. )

For those interested: RFC 1191 adds some better explanation.
There is also another documented workaround: https://live.paloaltonetworks.com/docs/DOC-1649

/ Paul M

Labels:
0 Likes Likes
2 REPLIES 2

rahmant
Not applicable

‎01-26-2011 12:38 PM

I've seen this with many types of VPN interactions.  With a traditional Cisco remote access VPN installation, the typical process has the MTU of the client device's NIC set to 1300 bytes.  This typically resolves the fragmentation issue.

Tariq

0 Likes Likes

rahmant
Not applicable

‎01-26-2011 12:40 PM

For followup, I have three PA units distributed globally (NJ - 2x2050's, Rotterdam - 1x500 and Singapore - 1x500) and all are being centrally managed by Panorama.  Pushes do take a bit of time to process (when don't they Smiley Happy), but still usable.  I haven't run into any connectivity problems where the connections would fail or anything (at least not yet).

Tariq

0 Likes Likes
  • 3893 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks