A few months ago I found a small bug in PAN-OS, the operating system from Palo Alto Networks. It is related to an IPv6 enabled management interface. The MGT address was not reachable when the firewall operates in layer 2 mode, that is, had layer 2 interfaces along with VLANs. Luckily, this bug is fixed with the new software version 6.1.2 which was released this week (bug ID 67719).
Following are a few listings that show the incomplete handling of the IPv6 neighbor cache of the MGT interface in the old version (pre 6.1.2).
I was using the layer 2 mode for some switch tests about STP. During these tests, I noticed that I was not able to connect to the MGT interface via IPv6 anymore.
The Palo Alto in my lab has a VLAN interface (vlan.120) and the corresponding VLAN on a layer 2 subinterface. The management port is plugged into a switch in the same VLAN. The IPv6 address on the MGT interface is 2003:51:6012:120::2/64 .
Bug
For example, when trying to ping or to ssh to the MGT interface from another machine …
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
weberjoh@jw-nb08:~$ ping6 2003:51:6012:120::2 PING 2003:51:6012:120::2(2003:51:6012:120::2) 56 data bytes ^C --- 2003:51:6012:120::2 ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 5039ms weberjoh@jw-nb08:~$ weberjoh@jw-nb08:~$ weberjoh@jw-nb08:~$ ssh -v pa-mgmt.webernetz.net OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to pa-mgmt.webernetz.net [2003:51:6012:120::2] port 22. ^C |
… the neighbor cache did not show the MGT IPv6 address:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
weberjoh@fd-wv-fw02> show neighbor vlan.120 maximum of entries supported : 500 default base reachable time: 30 seconds total neighbor entries in table : 27 total neighbor entries shown : 7 interface ip address hw address status -------------------------------------------------------------------------------- vlan.120 2003:51:6012:120::10 00:1d:92:53:58:12 STALE vlan.120 2003:51:6012:120::13 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:febe:674d 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:fefb:69c4 00:0c:29:fb:69:c4 STALE vlan.120 fe80::219:e2ff:fea1:f986 00:19:e2:a1:f9:86 STALE vlan.120 fe80::21d:92ff:fe53:5812 00:1d:92:53:58:12 STALE vlan.120 fe80::b60c:25ff:fe05:8e00 b4:0c:25:05:8e:00 STALE |
However, I was able to ping from that MGT interface IPv6 address. Interestingly, the neighbor cache revealed the ::2 address, but only with the status “PROBE” and only for a very few seconds:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
weberjoh@fd-wv-fw02> ping inet6 yes source 2003:51:6012:120::2 host heise.de PING heise.de(redirector.heise.de) from 2003:51:6012:120::2 : 56 data bytes 64 bytes from redirector.heise.de: icmp_seq=0 ttl=54 time=72.8 ms 64 bytes from redirector.heise.de: icmp_seq=1 ttl=54 time=24.8 ms 64 bytes from redirector.heise.de: icmp_seq=2 ttl=54 time=22.0 ms 64 bytes from redirector.heise.de: icmp_seq=3 ttl=54 time=26.4 ms ^C --- heise.de ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3029ms rtt min/avg/max/mdev = 22.081/36.543/72.831/21.008 ms, pipe 2 weberjoh@fd-wv-fw02> show neighbor vlan.120 maximum of entries supported : 500 default base reachable time: 30 seconds total neighbor entries in table : 27 total neighbor entries shown : 7 interface ip address hw address status -------------------------------------------------------------------------------- vlan.120 2003:51:6012:120::2 b4:0c:25:05:8e:00 PROBE vlan.120 2003:51:6012:120::13 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:febe:674d 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:fefb:69c4 00:0c:29:fb:69:c4 STALE vlan.120 fe80::219:e2ff:fea1:f986 00:19:e2:a1:f9:86 STALE vlan.120 fe80::21d:92ff:fe53:5812 00:1d:92:53:58:12 STALE vlan.120 fe80::b60c:25ff:fe05:8e00 b4:0c:25:05:8e:00 STALE weberjoh@fd-wv-fw02> show neighbor vlan.120 maximum of entries supported : 500 default base reachable time: 30 seconds total neighbor entries in table : 26 total neighbor entries shown : 6 interface ip address hw address status -------------------------------------------------------------------------------- vlan.120 2003:51:6012:120::13 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:febe:674d 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:fefb:69c4 00:0c:29:fb:69:c4 STALE vlan.120 fe80::219:e2ff:fea1:f986 00:19:e2:a1:f9:86 STALE vlan.120 fe80::21d:92ff:fe53:5812 00:1d:92:53:58:12 STALE vlan.120 fe80::b60c:25ff:fe05:8e00 b4:0c:25:05:8e:00 STALE |
The traffic log on the Palo Alto shows that incoming connections did not succeed, while outgoing connections did:
Fixed in 6.1.2
with bug ID 67719: “The management interface was not receiving IPv6 connections for traffic from the dataplane when the firewall was in Layer 2 mode. An update was made to the MAC address learning process so that the Management interface receives IPv6 traffic from the dataplane when the firewall is in Layer 2 mode.”
Now I can ping to the IPv6 MGT address:
|
1 2 3 4 5 6 7 8 9 10 |
weberjoh@jw-nb08:~$ ping6 2003:51:6012:120::2 PING 2003:51:6012:120::2(2003:51:6012:120::2) 56 data bytes 64 bytes from 2003:51:6012:120::2: icmp_seq=1 ttl=62 time=1.54 ms 64 bytes from 2003:51:6012:120::2: icmp_seq=2 ttl=62 time=1.05 ms 64 bytes from 2003:51:6012:120::2: icmp_seq=3 ttl=62 time=1.17 ms 64 bytes from 2003:51:6012:120::2: icmp_seq=4 ttl=62 time=1.16 ms ^C --- 2003:51:6012:120::2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 1.056/1.235/1.547/0.189 ms |
And the neighbor cache correctly shows the REACHABLE/STALE neighbor:
|
1 2 3 4 5 6 7 8 9 10 11 |
weberjoh@fd-wv-fw02> show neighbor vlan.120 maximum of entries supported : 500 default base reachable time: 30 seconds total neighbor entries in table : 10 total neighbor entries shown : 2 interface ip address hw address status -------------------------------------------------------------------------------- vlan.120 2003:51:6012:120::2 b4:0c:25:05:8e:00 STALE vlan.120 fe80::b60c:25ff:fe05:8e00 b4:0c:25:05:8e:00 STALE |
Cheers!