topic Re: Troubleshooting Slowness with Traffic, Management in General Topics

Troubleshooting Slowness with Traffic, Management

GWASSEF — Tue, 05 Sep 2017 05:47:12 GMT

Hi,

I am reconfiguring my PA-100 VM, as i am changing the network design, but after i changed the interfaces IP, Router configuraattion, NAT policy, and security policy. I cannot get to internet and in monitroing end reason is "aged-out"

From CLI i can ping and traceroute using the management and external interface as source, but i cannot use my internal interface to ping or traceroute.

Even i cannot ping the external interface using hte internal interface (after enabling management policy for the external interface)

I cannot even ping between the Mgmt Interface and the internal Interface and they are in the same network (default intrazone traffice rule active as well)

I would appreciate any direction in troubleshooting the issue.

Re: Troubleshooting Slowness with Traffic, Management

TranceforLife — Tue, 05 Sep 2017 07:31:53 GMT

For TCP traffic "aged-out" could indicate not completed 3-way handshake. Few things to confirm:

1) Can Palo access the internet over the External interface?

2) Make sure routing is correct

3) Remember, traffic generated by the firewall will not be a subject for policy inspection (unless you source the packet from the interface which is assigned to the security zone).

4) Post the detailed log view of any aged-out session (magnifying glass view)

Re: Troubleshooting Slowness with Traffic, Management

GWASSEF — Tue, 05 Sep 2017 07:39:54 GMT

- Palo alto can access internet via external interface and management interface, but not the internal interface.

- I have only one static route for 0.0.0.0/0 that goes to External Interface and the next hope is my modem ip address, metric is et to 10 and unicast is routing table.

- i am sourcing the traffice from the source zone, and

attached is the print screen from my details logs

Re: Troubleshooting Slowness with Traffic, Management

TranceforLife — Tue, 05 Sep 2017 07:45:02 GMT

You natting your traffic to the 10.1.1.254, from the source ip 10.1.1.60? Why?

What is your external ip address? You have modem/router, right. Does it know how to get back to the networks behind the FW?

Re: Troubleshooting Slowness with Traffic, Management

GWASSEF — Tue, 05 Sep 2017 07:48:34 GMT

computer ip is 10.1.1.60

internal interface for paloalto is 10.1.1.254

external ip is 172.16.0.1

modem ip is 172.16.0.254

from CLI: Ping using the external interface ip as source works

ping source 172.16.0.1 host yahoo.com
PING yahoo.com (98.138.253.109) from 172.16.0.1 : 56(84) bytes of data.
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=1 ttl=55 time=61.1 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=2 ttl=55 time=59.9 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=3 ttl=55 time=68.8 ms

but ping using internal ip doesn't work

Re: Troubleshooting Slowness with Traffic, Management

TranceforLife — Tue, 05 Sep 2017 07:52:32 GMT

Ok, thanks. You need to configure your Palo to NAT all internal traffic to its External IP (172.16.0.1). In case you don't want to do that, then please add a static route on your router/modem pointing to the Palo external ip address (172.16.0.1) on how to reach 10.1.1.0/24 subnet.

Re: Troubleshooting Slowness with Traffic, Management

GWASSEF — Tue, 05 Sep 2017 07:55:45 GMT

Thanks, this does make sense, i really missed it from the lots of changes i have been through. Thanks again.