Minor Palo Alto Bug concerning IPv6 MGT

A few month ago I found a small bug in PANOS, the operating system from Palo Alto Networks. It is related to an IPv6 enabled management interface. The MGT address was not reachable when the firewall operates in layer 2 mode, that is, had layer 2 interfaces along with VLANs. Luckily, this bug is fixed with the new software version 6.1.2 which was released this week (bug ID 67719).

Following are a few listings that show the incomplete handling of the IPv6 neighbor cache of the MGT interface in the old version (pre 6.1.2).

I was using the layer 2 mode for some switch tests about STP. During these tests I noticed that I was not able to connect to the MGT interface via IPv6 anymore.

The Palo Alto in my lab has a VLAN interface (vlan.120) and the corresponding VLAN on a layer 2 subinterface. The management port is plugged into a switch in the same VLAN. The IPv6 address on the MGT interface is 2003:51:6012:120::2/64 .

Bug

For example, when trying to ping or to ssh to the MGT interface from another machine …

… the neighbor cache did not show the MGT IPv6 address:

 

However, I was able to ping from that MGT interface IPv6 address. Interestingly, the neighbor cache revealed the ::2 address, but only with the status “PROBE” and only for a very few seconds:

 

The traffic log on the Palo Alto shows that incoming connections did not succeed, while outgoing connections did:

Palo Alto IPv6 MGMT interface pings

Fixed in 6.1.2

with bug ID 67719: “The management interface was not receiving IPv6 connections for traffic from the dataplane when the firewall was in Layer 2 mode. An update was made to the MAC address learning process so that the Management interface receives IPv6 traffic from the dataplane when the firewall is in Layer 2 mode.”

Now I can ping to the IPv6 MGT address:

And the neighbor cache correctly shows the REACHABLE/STALE neighbor:

 

Leave a Reply

Your email address will not be published. Required fields are marked *