09-15-2022 08:57 AM
Hello PA team,
I have configured permitted IP list for my management IP list and I am unable to access my firewall via GUI https or CLI - ssh.
I have enabled - PING , HTTPS, SNMP, SSH on management interface.
when i remove all permitted IP addresses then i am able to access - https ssh and able to ping as well.
but when i add permitted IP address then i am only able to ping and not able to ssh and https.
any guidance would be appreciated.
i need to check from permitted IP address if that request is reaching to my fw mgmt IP how can i check that.
09-16-2022 03:06 AM
Hello @Doyenadmin
thanks for the post.
Could you have a look into this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clb4CAC? You might be hitting this issue.
Kind Regards
Pavel
09-16-2022 03:06 AM
Hello @Doyenadmin
thanks for the post.
Could you have a look into this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clb4CAC? You might be hitting this issue.
Kind Regards
Pavel
09-16-2022 06:10 AM
Hi @PavelK
We referred the attached article, and changed the MTU to 1400 and we are able to access the mgmt interface from LAN network.
even though i referred this document on the day we implemented permit IP and faced issue.
only thing i didn't understood is when we remove IP or subnet from permit IP list then the how i am not facing MTU issue ??
why only if i allowed the same subnet and IP in permit IP list then facing MTU issue ??
09-16-2022 07:19 AM
Thank you for reply @Doyenadmin
The MTU issue is there regardless you apply permit access list or not. When the permit access list is not applied, it is masking the issue. What I think is happening is as follows:
The initial TCP 3 way handshake initiated by your PC is completed. These packets are small and do not carry any data, then your PC send SSL client Hello and Firewall replies with Server hello. The packet size is large as it contains all SSL related information. The size of this packet is exceeding MTU between Firewall and your PC while the DF bit is set. The node that is dropping this packet is sending back to Firewall ICMP Type 3 Code 4 to lower MTU using its own interface IP address as a source and this is part where the issue with permitted IP addresses comes in. The Firewall accepts only source IP addresses that you allow and intermediate node that is asking for lowering MTU is not in the permitted IP address list. In nutshell, if you knew the IP address of this node and put it in the permit list, then you would not have to lower MTU. With the list in place, this is breaking PMTU Discovery. This kind of issue is typically something with ISP that is out of your control.
Kind Regards
Pavel
09-16-2022 08:51 AM
Thanks @PavelK for explanation, really appreciate.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
