A few month ago I found a small bug in PANOS, the operating system from Palo Alto Networks. It is related to an IPv6 enabled management interface. The MGT address was not reachable when the firewall operates in layer 2 mode, that is, had layer 2 interfaces along with VLANs. Luckily, this bug is fixed with the new software version 6.1.2 which was released this week (bug ID 67719).
Following are a few listings that show the incomplete handling of the IPv6 neighbor cache of the MGT interface in the old version (pre 6.1.2).
I was using the layer 2 mode for some switch tests about STP. During these tests I noticed that I was not able to connect to the MGT interface via IPv6 anymore.
The Palo Alto in my lab has a VLAN interface (vlan.120) and the corresponding VLAN on a layer 2 subinterface. The management port is plugged into a switch in the same VLAN. The IPv6 address on the MGT interface is
2003:51:6012:120::2/64.
Bug
For example, when trying to ping or to ssh to the MGT interface from another machine …
weberjoh@jw-nb08:~$ ping6 2003:51:6012:120::2 PING 2003:51:6012:120::2(2003:51:6012:120::2) 56 data bytes ^C --- 2003:51:6012:120::2 ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 5039ms weberjoh@jw-nb08:~$ weberjoh@jw-nb08:~$ weberjoh@jw-nb08:~$ ssh -v pa-mgmt.webernetz.net OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to pa-mgmt.webernetz.net [2003:51:6012:120::2] port 22. ^C
… the neighbor cache did not show the MGT IPv6 address:
weberjoh@fd-wv-fw02> show neighbor vlan.120 maximum of entries supported : 500 default base reachable time: 30 seconds total neighbor entries in table : 27 total neighbor entries shown : 7 interface ip address hw address status -------------------------------------------------------------------------------- vlan.120 2003:51:6012:120::10 00:1d:92:53:58:12 STALE vlan.120 2003:51:6012:120::13 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:febe:674d 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:fefb:69c4 00:0c:29:fb:69:c4 STALE vlan.120 fe80::219:e2ff:fea1:f986 00:19:e2:a1:f9:86 STALE vlan.120 fe80::21d:92ff:fe53:5812 00:1d:92:53:58:12 STALE vlan.120 fe80::b60c:25ff:fe05:8e00 b4:0c:25:05:8e:00 STALE
However, I was able to ping from that MGT interface IPv6 address. Interestingly, the neighbor cache revealed the ::2 address, but only with the status “PROBE” and only for a very few seconds:
weberjoh@fd-wv-fw02> ping inet6 yes source 2003:51:6012:120::2 host heise.de PING heise.de(redirector.heise.de) from 2003:51:6012:120::2 : 56 data bytes 64 bytes from redirector.heise.de: icmp_seq=0 ttl=54 time=72.8 ms 64 bytes from redirector.heise.de: icmp_seq=1 ttl=54 time=24.8 ms 64 bytes from redirector.heise.de: icmp_seq=2 ttl=54 time=22.0 ms 64 bytes from redirector.heise.de: icmp_seq=3 ttl=54 time=26.4 ms ^C --- heise.de ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3029ms rtt min/avg/max/mdev = 22.081/36.543/72.831/21.008 ms, pipe 2 weberjoh@fd-wv-fw02> show neighbor vlan.120 maximum of entries supported : 500 default base reachable time: 30 seconds total neighbor entries in table : 27 total neighbor entries shown : 7 interface ip address hw address status -------------------------------------------------------------------------------- vlan.120 2003:51:6012:120::2 b4:0c:25:05:8e:00 PROBE vlan.120 2003:51:6012:120::13 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:febe:674d 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:fefb:69c4 00:0c:29:fb:69:c4 STALE vlan.120 fe80::219:e2ff:fea1:f986 00:19:e2:a1:f9:86 STALE vlan.120 fe80::21d:92ff:fe53:5812 00:1d:92:53:58:12 STALE vlan.120 fe80::b60c:25ff:fe05:8e00 b4:0c:25:05:8e:00 STALE weberjoh@fd-wv-fw02> show neighbor vlan.120 maximum of entries supported : 500 default base reachable time: 30 seconds total neighbor entries in table : 26 total neighbor entries shown : 6 interface ip address hw address status -------------------------------------------------------------------------------- vlan.120 2003:51:6012:120::13 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:febe:674d 00:0c:29:be:67:4d STALE vlan.120 fe80::20c:29ff:fefb:69c4 00:0c:29:fb:69:c4 STALE vlan.120 fe80::219:e2ff:fea1:f986 00:19:e2:a1:f9:86 STALE vlan.120 fe80::21d:92ff:fe53:5812 00:1d:92:53:58:12 STALE vlan.120 fe80::b60c:25ff:fe05:8e00 b4:0c:25:05:8e:00 STALE
The traffic log on the Palo Alto shows that incoming connections did not succeed, while outgoing connections did:
Fixed in 6.1.2
with bug ID 67719: “The management interface was not receiving IPv6 connections for traffic from the dataplane when the firewall was in Layer 2 mode. An update was made to the MAC address learning process so that the Management interface receives IPv6 traffic from the dataplane when the firewall is in Layer 2 mode.”
Now I can ping to the IPv6 MGT address:
weberjoh@jw-nb08:~$ ping6 2003:51:6012:120::2 PING 2003:51:6012:120::2(2003:51:6012:120::2) 56 data bytes 64 bytes from 2003:51:6012:120::2: icmp_seq=1 ttl=62 time=1.54 ms 64 bytes from 2003:51:6012:120::2: icmp_seq=2 ttl=62 time=1.05 ms 64 bytes from 2003:51:6012:120::2: icmp_seq=3 ttl=62 time=1.17 ms 64 bytes from 2003:51:6012:120::2: icmp_seq=4 ttl=62 time=1.16 ms ^C --- 2003:51:6012:120::2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 1.056/1.235/1.547/0.189 ms
And the neighbor cache correctly shows the REACHABLE/STALE neighbor:
weberjoh@fd-wv-fw02> show neighbor vlan.120 maximum of entries supported : 500 default base reachable time: 30 seconds total neighbor entries in table : 10 total neighbor entries shown : 2 interface ip address hw address status -------------------------------------------------------------------------------- vlan.120 2003:51:6012:120::2 b4:0c:25:05:8e:00 STALE vlan.120 fe80::b60c:25ff:fe05:8e00 b4:0c:25:05:8e:00 STALE