https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-conencting-to-the-cisco-router-in-vrf-lite/m-p/525905#M729 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/265475">@Tech_pp</a> ,</P> <P>&nbsp;</P> <P>Could you verify the license on the C9300 as requested before?&nbsp; That's the only thing I can think of right now.</P> <P>&nbsp;</P> <P>So you are placing the IP addresses on the interfaces and not using VLANs?&nbsp; Then what I said earlier still applies to the physical interfaces and not the VLAN interfaces.</P> <P>&nbsp;</P> <P>You are correct in that no configuration is required on the NGFW for the VRF.&nbsp; The VRF is local to the C9300.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 04 Jan 2023 14:36:32 GMT TomYoung 2023-01-04T14:36:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-conencting-to-the-cisco-router-in-vrf-lite/m-p/525863#M725 <P>Trying to connect a cisco 9300 device with 2 VRF's accross the PA firewall. the PA firewall can not ping the attached 9300 interface in a VRF. IF the interface is taken out of the VRF the connectivity works.</P> <P>&nbsp;</P> <P>Dose any one know whats causing this</P> Wed, 04 Jan 2023 09:58:08 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-conencting-to-the-cisco-router-in-vrf-lite/m-p/525863#M725 Tech_pp 2023-01-04T09:58:08Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-conencting-to-the-cisco-router-in-vrf-lite/m-p/525900#M727 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/265475">@Tech_pp</a> ,</P> <P>&nbsp;</P> <P>Given the small amount of information, I have to make certain assumptions.</P> <P>&nbsp;</P> <P>If you can ping outside the VRF...</P> <OL> <LI>the interface and VLAN configurations are probably correct, and</LI> <LI>L2 connectivity is good, and</LI> <LI>the Management Profile (if pinging the NGFW) is probably correct.</LI> </OL> <P>It sounds like an issue with the C9300.&nbsp; No changes are made on the NGFW between working and not.&nbsp; You may need to go to the Cisco forum.&nbsp; However, I will add a couple thoughts.</P> <P>&nbsp;</P> <P>Placing a VLAN interface inside a VRF is only one command, "ip vrf forwarding VRF_NAME", and it would fail if the VRF were not created.&nbsp; You should get a warning the IP address has been removed and needs to be re-added.</P> <P>&nbsp;</P> <P>Network Advantage is required for VRFs on the C9300.&nbsp; What does "show license summary" show on your C9300?&nbsp; I don't know if you would get an error if you tried to create a VRF without the proper license.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 04 Jan 2023 14:01:46 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-conencting-to-the-cisco-router-in-vrf-lite/m-p/525900#M727 TomYoung 2023-01-04T14:01:46Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-conencting-to-the-cisco-router-in-vrf-lite/m-p/525903#M728 Hi Tom,<BR /><BR />The setup Is as below<BR /><BR />PA firewall is connected with point to point physical connections to a 9300<BR />1 connection (Inside) is in 1 VRF and the other (Outside) in the other VRF (Default)<BR /><BR />I cant ping from the other end of the link from the firewall when the interface on the 9300 is in a VRF, if I move it out of the ver and place it in the default the IP reachability is established.<BR /><BR />Is there a specific config I am missing or required on the PA for connecting into a VRF? I did not think so since VRF is a local concept. (The PA are in active/active setup). I can't get this connectivity for Primary as well as secondary)<BR /><BR />The config on the 9300 is good in my opinion<BR />      Interface is allocated to a VRF and given an IP address (/30)<BR /><BR /><BR /><BR /><BR />Thanks &amp; best regards<BR />Prasanna Patki<BR />#CCIE (RS, Sec, DC) Wed, 04 Jan 2023 14:24:52 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-conencting-to-the-cisco-router-in-vrf-lite/m-p/525903#M728 Tech_pp 2023-01-04T14:24:52Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-conencting-to-the-cisco-router-in-vrf-lite/m-p/525905#M729 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/265475">@Tech_pp</a> ,</P> <P>&nbsp;</P> <P>Could you verify the license on the C9300 as requested before?&nbsp; That's the only thing I can think of right now.</P> <P>&nbsp;</P> <P>So you are placing the IP addresses on the interfaces and not using VLANs?&nbsp; Then what I said earlier still applies to the physical interfaces and not the VLAN interfaces.</P> <P>&nbsp;</P> <P>You are correct in that no configuration is required on the NGFW for the VRF.&nbsp; The VRF is local to the C9300.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 04 Jan 2023 14:36:32 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-conencting-to-the-cisco-router-in-vrf-lite/m-p/525905#M729 TomYoung 2023-01-04T14:36:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-conencting-to-the-cisco-router-in-vrf-lite/m-p/525906#M730 <P>The cat is having an advantage License.</P> <P>The ip is on a l3 point to point no svi's</P> <P>&nbsp;</P> <P>My thoughts as well. it is in my lab so will go through it again to see what the issue is. May be some thing to do with clustering Active/Active</P> <P>&nbsp;</P> <P>Will keep yo uposted here</P> <P>&nbsp;</P> <P>Regards</P> <P>Prasanna</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 04 Jan 2023 14:41:24 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-conencting-to-the-cisco-router-in-vrf-lite/m-p/525906#M730 Tech_pp 2023-01-04T14:41:24Z