ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Issues with connecting to and from devices in the 172.17.0.0/16 range after upgrading to v 4.x. Including PAM Utility appliances

book

Article ID: 240978

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We have issues with all PAM servers in our environment after upgrading to version 4.0.1.

Users in the office aren't able to use the PAM appliance without connecting to VPN. We engaged the network team to look into this issue as we thought it was related to routing but from network side.

Pinging the appliances from a host in the 172.17.0.0/16 network range does not reply although pinging or accessing from any other network range works fine. Also accessing target devices in the same same range act as if they are firewalled although there is no firewalls at all between them

 

Cause

PAM internal Docker services uses 172.17.0.0 which leads to an issue with IP routing in and out of the PAM appliances and Utility servers. The Docker service was just introduced in Symantec PAM 4.x to enable additional future services including the PAMSC integration and PAM Utility Appliances.

Environment

Release : 4.0.x and 4.1.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

At this time (5/4/22), L2 is working on a change to the PAM architecture and no ETA for a full resolution is available at this time.

 

A workaround of modifying this internal network is possible with Broadcom Support ssh login directly to each node in the cluster and each Utility appliance to manually update Docker to utilize an unused network in you current environment.

You will need to request an unused class b network  from network team.  When you have the specified network you can arrange with support to ssh into PAM to modify the bip IP range