Permitted IP address for management interface could not access HTTPS or SSH

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Permitted IP address for management interface could not access HTTPS or SSH

L3 Networker

Hello PA team,

 

I have configured permitted IP list for my management IP list and I am unable to access my firewall via GUI https or CLI - ssh.

 

I have enabled - PING , HTTPS, SNMP, SSH on management interface.

 

when i remove all permitted IP addresses then i am able to access - https ssh and able to ping as well.

 

but when i add permitted IP address then i am only able to ping and not able to ssh and https.

 

any guidance would be appreciated.

 

i need to check from permitted IP address if that request is reaching to my fw mgmt IP how can i check that.

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @Doyenadmin

 

thanks for the post.

 

Could you have a look into this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clb4CAC? You might be hitting this issue.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello @Doyenadmin

 

thanks for the post.

 

Could you have a look into this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clb4CAC? You might be hitting this issue.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi @PavelK 

 

We referred the attached article, and changed the MTU to 1400 and we are able to access the mgmt interface from LAN network.

even though i referred this document on the day we implemented permit IP and faced issue.

only thing i didn't understood is when we remove IP or subnet from permit IP list then the how i am not facing MTU issue ??

why only if i allowed the same subnet and IP in permit IP list then facing MTU issue ??

 

 

 

 

 

Cyber Elite
Cyber Elite

Thank you for reply @Doyenadmin

 

The MTU issue is there regardless you apply permit access list or not. When the permit access list is not applied, it is masking the issue. What I think is happening is as follows:

The initial TCP 3 way handshake initiated by your PC is completed. These packets are small and do not carry any data, then your PC send SSL client Hello and Firewall replies with Server hello. The packet size is large as it contains all SSL related information. The size of this packet is exceeding MTU between Firewall and your PC while the DF bit is set. The node that is dropping this packet is sending back to Firewall ICMP Type 3 Code 4 to lower MTU using its own interface IP address as a source and this is part where the issue with permitted IP addresses comes in. The Firewall accepts only source IP addresses that you allow and intermediate node that is asking for lowering MTU is not in the permitted IP address list. In nutshell, if you knew the IP address of this node and put it in the permit list, then you would not have to lower MTU. With the list in place, this is breaking PMTU Discovery. This kind of issue is typically something with ISP that is out of your control.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.

Thanks @PavelK  for explanation, really appreciate.

 

  • 1 accepted solution
  • 6191 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!