PANOS 8.1.2 RADIUS / IPv6

Reply
Highlighted
L3 Networker

PANOS 8.1.2 RADIUS / IPv6

Hi,

Since upgrade to PANOS 8.1.2 RADIUS (for firewall administration) tries to connect to the IPv6 address of the Microsoft NPS server:

 

2018-07-10 09:33:14.305 +1200 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:384): RADIUS request type: PAP
2018-07-10 09:33:14.307 +1200 Warning: _handle_nas_ip(pan_authd_radius_prot.c:114): fe80::d6f4:beff:fec3:8beb%eth0: pan device nas IPv6 not found
2018-07-10 09:33:14.307 +1200 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:436): Optional attribute NAS-IP "fe80::d6f4:beff:fec3:8beb%eth0" is not in request, which is ok since NAS-Identifier "RADIUS-FirewallAdmins" is in it
2018-07-10 09:33:14.307 +1200 debug: _create_rw_sock(pan_authd_conn_mgmt.c:1446): create a UDP socket: 13
2018-07-10 09:33:14.307 +1200 Error: _create_rw_sock(pan_authd_conn_mgmt.c:1490): Retry 1: connect to server 2402:9900:311:1244:5003:9543:48d4:2af3:1812: errno=101(Network is unreachable)
2018-07-10 09:33:15.308 +1200 Error: _create_rw_sock(pan_authd_conn_mgmt.c:1490): Retry 2: connect to server 2402:9900:311:1244:5003:9543:48d4:2af3:1812: errno=101(Network is unreachable)
2018-07-10 09:33:16.309 +1200 Error: _create_rw_sock(pan_authd_conn_mgmt.c:1490): Retry 3: connect to server 2402:9900:311:1244:5003:9543:48d4:2af3:1812: errno=101(Network is unreachable)
2018-07-10 09:33:17.310 +1200 Error: _create_rw_sock(pan_authd_conn_mgmt.c:1497): reached max number of retries (3) to connect to server 2402:9900:311:1244:5003:9543:48d4:2af3:1812

 

The result is the request times out as the server does not respond on IPv6.

 

I can't see how to stop this behaviour, or what is causing it.

 

Note: If I change the RADIUS profile to an IP address, rather than a FQDN it works fine. If I perform a ping of the FQDN, from the MGT interface on the PAN, it resolves correctly to the IPv4 address so it does not seem to be a DNS issue.

Note: We have not configured granular service routes, all services use the MGT interface.

 

Any ideas what is causing this, and how I can stop it trying to use IPv6?

 

Cheers,
Shannon

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!