topic Re: Static Route to directly connected Subnet in General Topics

Static Route to directly connected Subnet

acc6d0b3610eec313831f7900fdbd235 — Sat, 10 Jun 2017 00:18:41 GMT

Hi All, I am working with a project, where the firewall (PA-3020) is connected to a DMZ via its sub-interface.

I have two physical Copper interfaces in an aggregated group AE2 with LACP enabled, and then multiple sub-interfaces under that The DMZ sub-interface (ae2.4010) has a subnet of 192.168.66.0/24; however, I am unable to reach the backend servers on the same subnet, unless I add a null static route in the virtual router i.e 192.168.66.0/24 --> Interface: ae2.4010 --> Next Hop: None.

That's quite unusual, because all the other sub-interfaces have no issues, and I don't need to add any null routes to the VR. Does anybody have any clue what the problem might be in this instance?

Thank you

Re: Static Route to directly connected Subnet

pulukas — Sat, 10 Jun 2017 10:59:07 GMT

Is there an ip address in that subnet configured on the sub interface?

This should create a direct route automatically.

I am assuming the PA is layer 3 for this setup is that right?

Re: Static Route to directly connected Subnet

acc6d0b3610eec313831f7900fdbd235 — Sat, 10 Jun 2017 16:54:42 GMT

Hi @pulukas Yes the firewall sub-interface ae2.4010 has an IP address assigned. That was my expectation based on all the implementations I have done, I never had to add a static route to a subnet to which the firewall is directly connected. The firewall is in full Layer 3. All other sub-interfaces, are working just fine and I did not have to add static routes for those.

Re: Static Route to directly connected Subnet

Remo — Sat, 10 Jun 2017 19:49:32 GMT

This is not unusual this sounds very strange...
Sorry for the question, but are you sure that there is no typo in the IP address of that subinterface? And did you enter the IP address maybe without a subnetmask or with the wrong one?
If you checked these things, what PAN-OS version is installed and could you may be share a screenshot of the actual routing table or at least check also there how it does look with and without this stub-route?

Re: Static Route to directly connected Subnet

acc6d0b3610eec313831f7900fdbd235 — Sat, 10 Jun 2017 21:36:45 GMT

Hi @Remo
I did a modification on my sub-interface just now, for testing purposes.
Instead of adding only the IP address object with no mask in included the subnet mask /24. After that I was able to reach the servers on the same subnet.
It is a weird issue, because the IP address I had configured although not having the mask specified, was part of the same range as all the other backend servers; hence, I assumed it should've worked.
I was running the PAN-OS 7.1.7 before fixing the mask, and then upgraded to PAN-OS 7.1.10 now because I thought it could be a bug, but I was wrong. Bottom line, it works, but you have always to specify the actual mask to the address object.

Thank you

Re: Static Route to directly connected Subnet

pulukas — Sun, 11 Jun 2017 23:38:49 GMT

I'm surprised the PA does not automatically add the /32 mask to the interface if you plug in just an ip address. This would make the issue more obvious to observe.

glad you have it figured out.