CA Privileged Access Manager Tech Tip by Miquel Gilibert i Sunyé, Principal Support Engineer for March 7, 2017
SSL VPN is a PAM feature which allows you to configure SSL VPN for access methods. SSL VPN provides to the User access device a routable IP address on the internal network, rather than using CA Privileged Access Manager to broker connections to the target resource device. By default in a new PAM appliance, the SSL VPN (in Config) will by default have the following configuration 10.8.0.0/16, so a class B network.
In the PAM appliance this will create an interface like the following
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
In most cases this will not cause any problem. However, if we have endpoints whose IP addresses are of the kind (10.8.X.Y), so within the range of the SSL VPN configured by default you may face an issue in that the endpoint becomes unreachable. It will not respond to ping, traceroute or any traffic.
There are to possible solutions for this
- If you are not going to use the SSL VPN, change it to a different network range outside your usual range of operation
- Add a static route to the subnet where the device is located (for instance 10.8.40.0/24 with gateway the one for the appliance)