After upgrading our test environment from 3.4.2 to 4.0.1, we have found that our API calls are not working when we use a GB8 NIC (where we have our clustering configured), though they are still working when we call GB1. The same is true for browser or PAM client sessions launched from subnets that can also reach PAM on another interface.

PAM 4.0.1 introduced rp_filter (reverse path filtering) strict mode to prevent IP spoofing from DDos attacks. This implies that incoming connections will only be accepted on a given interface, if they come from a source IP for which outgoing connections will go through the same interface. As a consequence, any given client IP can connect to only one interface of the PAM server.

Release : 4.0.1-4.0.2

Component : PRIVILEGED ACCESS MANAGEMENT

As of May 11 2022 a hotfix can be provided on request on top of 4.0.1.Alternatively PAM Support can address the problem manually during a WebEx session. If you see such a problem with either API calls or PAM client sessions, please open a case with PAM Support.

The reverse path filtering is disabled again in PAM 4.1, and will be disabled in the upcoming 4.0.3 maintenance release. It may become configurable in future releases.