Firewall not connecting to Panorama | Intermediate device sends ICMP Fragmentation needed message

Firewall not connecting to Panorama | Intermediate device sends ICMP Fragmentation needed message

6847
Created On 03/28/23 05:24 AM - Last Modified 12/07/24 02:18 AM


Symptom


  • Troubleshooting Panorama Connectivity is used for troubleshooting.
  • It is identified that MTU is lower on an intermediate device between managed firewall and Panorama based on the intermediate device sending ICMP Fragmentation needed (Type 3, Code 4) message.
  • Ideally, as per Path MTU discovery, when the host receives the ICMP Fragmentation needed message, it should honor it and reduce its MTU accordingly in the subsequent connection attempt however, the managed firewall continues sending with same old MSS value in TCP SYN packet.

Environment


  • Panorama managed Firewalls
  • Supported PAN-OS

Cause


  • Permitted IP list configured on management interface of the managed firewall.
  • This causes the  ICMP fragmentation needed message not to reach the management interface and so the MTU is not adjusted automatically.

Resolution


  1. Add the IP of the intermediate device that sent ICMP Fragmentation needed message under
    • Managed firewall GUI > Device > Setup >Interface >Management Interface Settings (Ping service should be allowed)
  2. This causes the Fragmentation needed message to reach the firewall and will adjust the MTU accordingly.
 
Alternate solution:
  1. Change MTU on the intermediate device to match firewall management MTU.
  2. Lower MTU on the management interface to match the intermediate device.
  3. Adjust TCP MSS, if traffic flows through dataplane of the firewall accordingly.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHXeCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language