search cancel

API calls to interface other than GB1 fail after upgrade to 4.0.1

book

Article ID: 235990

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

After upgrading our test environment from 3.4.2 to 4.0.1, we have found that our API calls are not working when we use a GB8 NIC (where we have our clustering configured), though they are still working when we call GB1. The same is true for browser or PAM client sessions launched from subnets that can also reach PAM on another interface.

Cause

PAM 4.0.1 introduced rp_filter (reverse path filtering) strict mode to prevent IP spoofing from DDos attacks. This implies that incoming connections will only be accepted on a given interface, if they come from a source IP for which outgoing connections will go through the same interface. As a consequence, any given client IP can connect to only one interface of the PAM server.

Environment

Release : 4.0.1-4.0.2

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

As of May 11 2022 a hotfix can be provided on request on top of 4.0.1.Alternatively PAM Support can address the problem manually during a WebEx session. If you see such a problem with either API calls or PAM client sessions, please open a case with PAM Support.

The reverse path filtering is disabled again in PAM 4.1, and will be disabled in the upcoming 4.0.3 maintenance release. It may become configurable in future releases.