https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/strange-issue-vm-series-ext-interface-with-elastic-ip-in-aws-not/m-p/399581#M1173 <P>I am trying to POC a scenario for my customer in AWS with dual Palo Alto in HA within same availability zone. (We need to build a site to Site VPN tunnel from on-Premises to AWS Palo behind IGW)</P><P>&nbsp;</P><P>I am facing a strange issue. I an not able to reach the outside Elastic IP address of Palo.(I am able to reach the public IP on Management interface).&nbsp;The ENI's are moving to the secondary on failover.&nbsp;</P><UL><LI>I have deployed Palo Alto Primary FW and Secondary FW.&nbsp;</LI><LI>All Security Groups are configured to permit all traffic. No NALC’s configured.&nbsp;</LI><LI>Main VPC is 10.180.0.0/16</LI><LI>There are 4 Subnets: Public 10.180.100.0/24, Management 10.180.110.0/24, Private 10.180.120.0/24 and HA 10.180.130.0/24</LI><LI>There are 2 route tables - Public and Private</LI><LI>3&nbsp; subnets (Public, Management and HA) are associated with Public Route Table and Private subnet is associated with Private RT.</LI><LI>Internet Gateway is attached to VPC.&nbsp;Default route is configured in Public RT pointing to IGW. Communication from Public RT is up as the Test PC and Palo Management interface is able to reach internet.&nbsp;</LI><LI>Palo Alto is configured with Static IP and static default route pointing to the first IP of Public subnet (10.180.100.1)</LI><LI>Palo Configured with Security policy to permit all traffic.</LI><LI>Palo management profile permits ping, ssh, https</LI><LI>Elastic Public IP is attached to the<SPAN>&nbsp;Public and Management ENI’s. Palo Primary have 4 ENI's - Management (elastic IP), Public (elastic IP), HA and Private.</SPAN></LI><LI><SPAN>Source/destination check is disabled on all ENI's</SPAN></LI><LI>HA configured and is syncing the configs with peer. Data plane Interface is moving to the Secondary Palo on failover.&nbsp;</LI><LI>Management IP is reachable, test PC in public subnet is reachable, but Palo’s public IP is not. I re-created this lab at least 10 times now. The interesting thing is that, I was able to reach the external public IP of Palo yesterday but is not working after another rebuild.&nbsp;</LI></UL><P>Am I missing something here? Can any one help me resolve this issue?.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Palo_Lab.PNG" style="width: 577px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/32009iC7676326DBE41943/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Palo_Lab.PNG" alt="Palo_Lab.PNG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 17 Apr 2021 04:31:31 GMT harishsidhartha 2021-04-17T04:31:31Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/strange-issue-vm-series-ext-interface-with-elastic-ip-in-aws-not/m-p/399581#M1173 <P>I am trying to POC a scenario for my customer in AWS with dual Palo Alto in HA within same availability zone. (We need to build a site to Site VPN tunnel from on-Premises to AWS Palo behind IGW)</P><P>&nbsp;</P><P>I am facing a strange issue. I an not able to reach the outside Elastic IP address of Palo.(I am able to reach the public IP on Management interface).&nbsp;The ENI's are moving to the secondary on failover.&nbsp;</P><UL><LI>I have deployed Palo Alto Primary FW and Secondary FW.&nbsp;</LI><LI>All Security Groups are configured to permit all traffic. No NALC’s configured.&nbsp;</LI><LI>Main VPC is 10.180.0.0/16</LI><LI>There are 4 Subnets: Public 10.180.100.0/24, Management 10.180.110.0/24, Private 10.180.120.0/24 and HA 10.180.130.0/24</LI><LI>There are 2 route tables - Public and Private</LI><LI>3&nbsp; subnets (Public, Management and HA) are associated with Public Route Table and Private subnet is associated with Private RT.</LI><LI>Internet Gateway is attached to VPC.&nbsp;Default route is configured in Public RT pointing to IGW. Communication from Public RT is up as the Test PC and Palo Management interface is able to reach internet.&nbsp;</LI><LI>Palo Alto is configured with Static IP and static default route pointing to the first IP of Public subnet (10.180.100.1)</LI><LI>Palo Configured with Security policy to permit all traffic.</LI><LI>Palo management profile permits ping, ssh, https</LI><LI>Elastic Public IP is attached to the<SPAN>&nbsp;Public and Management ENI’s. Palo Primary have 4 ENI's - Management (elastic IP), Public (elastic IP), HA and Private.</SPAN></LI><LI><SPAN>Source/destination check is disabled on all ENI's</SPAN></LI><LI>HA configured and is syncing the configs with peer. Data plane Interface is moving to the Secondary Palo on failover.&nbsp;</LI><LI>Management IP is reachable, test PC in public subnet is reachable, but Palo’s public IP is not. I re-created this lab at least 10 times now. The interesting thing is that, I was able to reach the external public IP of Palo yesterday but is not working after another rebuild.&nbsp;</LI></UL><P>Am I missing something here? Can any one help me resolve this issue?.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Palo_Lab.PNG" style="width: 577px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/32009iC7676326DBE41943/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Palo_Lab.PNG" alt="Palo_Lab.PNG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 17 Apr 2021 04:31:31 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/strange-issue-vm-series-ext-interface-with-elastic-ip-in-aws-not/m-p/399581#M1173 harishsidhartha 2021-04-17T04:31:31Z