PAM -- Cannot SSH to Devices Which Have IPv6 Addresses
search cancel

PAM -- Cannot SSH to Devices Which Have IPv6 Addresses


Article ID: 269990


Updated On:


CA Privileged Access Manager (PAM)


When a device in the environment has both an IPv6 and IPv4 address in DNS, PAM is unable to SSH to the device. Any device that only uses IPv4 can successfully SSH to the device.



Release : 4.1-4.1.3


The use of SLAAC (StateLess Address Auto-Configuration) in the new IPv6 mixed environment automatically assigned an IPv6 address, which then caused the PAM appliance to try using the IPv6 protocol, if an IPv6 address could be retrieved from DNS for the target device. This may fail due to a lack of support of PAM releases up to 4.1.3 for IPv6 gateway configurations, or because of other restrictions in the network that don't allow IPv6 connections to the target device.


Full IPv6 support was added in PAM 4.1.4. This allows for configuration of a default IPv6 gateway, which may be needed for successful communication over IPv6. If IPv6 support is not required, it can be disabled in 4.1.4+ so that only IPv4 addresses will be used for connections to target devices.

A workaround is to use the IPV4 address as device address in PAM. For imported devices the "Override Address" checkbox can be used to override the imported address, which typically is the FQDN of the device.

Another possible workaround is to use the Configuration > Network > Host File Entry page to associate the IPv4 address with the device FQDN. However, a list of entries in the hosts file is not a long-term option if a large number of devices is affected.

If IPv6 communication is not required in the network that the PAM appliances are in, disabling SLAAC may be another option. If a PAM appliance doesn't get an IPv6 address assigned, it will not try to establish connections using IPv6.