https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441860#M100038 <P>Strangly,I realized that only 1 sub if is able to ping firewall.&nbsp; firewall has three sub interface under aggregate 2.</P><P>Aggregate 2.31, ae2.32 and ae2.33</P><P>I am able to ping from ae2.32 connected router to firewall, but can not ping from other 2 sub interfaces connected router to firewall.</P><P>Same MGMT profile is used for all interfaces and A, B,C class ip addresses included in this MGMT profile.</P><P>Meanwhile, both devices are visible in the ARP table.</P> Tue, 19 Oct 2021 06:11:52 GMT AzerTurkBank 2021-10-19T06:11:52Z https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441715#M100024 <P>Hello everyone!</P><P>I am experiencing an odd problem.</P><P>I have 3250 HA pairs. I have configured 2 aggregate(L3 trunk) interfaces and added sub interfaces to these aggregate.</P><P>The first problem is the firewall itself can not ping directly connected device by using "ping source x.x.x.x host y.y.y.y" command.</P><P>Every sub interface has management profile assigned.</P><P>The each aggregate interfaces has connected to 2 cisco stack switches.(switchstack1---aggregate1-aggregate2---switch-stack2)</P><P>I set IP addresses on both switches, however, there is not connection between two switches even though they have default route towards palo alto. I can not even ping from switch to palo alto interface.</P> Mon, 18 Oct 2021 17:59:18 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441715#M100024 AzerTurkBank 2021-10-18T17:59:18Z https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441819#M100029 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/143296">@AzerTurkBank</a>&nbsp;</P> <P>&nbsp;</P> <P>Are you ping from Active PA?</P> <P>Did this ever worked before?</P> <P>&nbsp;</P> <P>Is both interfaces show up on PA and Cisco?</P> <P>In MGMT Interface is Ping allowed ?</P> <P>&nbsp;</P> <P>Which source IP you are using to ping Cisco Switch?</P> <P>You need to use PA interface IP to ping the Cisco Switch directly connected interface.</P> <P>&nbsp;</P> <P>Regards</P> Tue, 19 Oct 2021 01:45:34 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441819#M100029 MP18 2021-10-19T01:45:34Z https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441843#M100032 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/143296">@AzerTurkBank</a>,</P> <P>That honestly sounds like you either don't have ping enabled on the interface-management-profile&nbsp;<EM>or&nbsp;</EM>you have permitted-ip setup on the profile and the IPs your attempting to ping aren't included.&nbsp;</P> Tue, 19 Oct 2021 03:15:04 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441843#M100032 BPry 2021-10-19T03:15:04Z https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441856#M100036 <P>Are you ping from Active PA?</P><P>To tell the truth, no. the first problem has fixed thanks to you.</P><P>Did this ever worked before?(this is new deployment)</P><P>&nbsp;</P><P>Is both interfaces show up on PA and Cisco?(Yes)</P><P>In MGMT Interface is Ping allowed ? Yes- it is allowed.</P><P>it seems switch was L2 and there was routing issue. I changed the switch to router and it responded ping packets.</P><P>&nbsp;</P> Tue, 19 Oct 2021 05:50:05 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441856#M100036 AzerTurkBank 2021-10-19T05:50:05Z https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441858#M100037 <P>Hi,</P><P>IP addresses allowed in MGMT profile are 10.0.0.0/8. 172.16.0.0./12 and 192.168.0.0./16</P><P>&nbsp;</P> Tue, 19 Oct 2021 06:07:40 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441858#M100037 AzerTurkBank 2021-10-19T06:07:40Z https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441860#M100038 <P>Strangly,I realized that only 1 sub if is able to ping firewall.&nbsp; firewall has three sub interface under aggregate 2.</P><P>Aggregate 2.31, ae2.32 and ae2.33</P><P>I am able to ping from ae2.32 connected router to firewall, but can not ping from other 2 sub interfaces connected router to firewall.</P><P>Same MGMT profile is used for all interfaces and A, B,C class ip addresses included in this MGMT profile.</P><P>Meanwhile, both devices are visible in the ARP table.</P> Tue, 19 Oct 2021 06:11:52 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-issue-with-palo-alto/m-p/441860#M100038 AzerTurkBank 2021-10-19T06:11:52Z