https://live.paloaltonetworks.com/t5/general-topics/routing-driving-me-crazy/m-p/305129#M79286 <P>Hi folks,</P><P>&nbsp;</P><P>here's a weird issue!</P><P>We have one public IP lets say 1.2.3.4.</P><P>Our PA VM 300, can ping to any public IP address other than 1.2.3.4.</P><P>For all other public IP addresses, it sends traffic via default route out of external interface. But for 1.2.3.4, it sends the traffic to our management gateway. Following to be noted:</P><P>1. 1.2.3.4 is our other PA firewall external IP where we were trying to connect using IPSec S2S tunnel. I deleted all the tunnel config since I was afraid that it was somehow interfering with the routing. But that did not solve the problem.</P><P>&nbsp;</P><P>2. From all other devices we can ping 1.2.3.4 and ping is allowed on this interface.</P><P>&nbsp;</P><P>3. Security Policies, NAT and static default route pointing out from external interface to next hop are all correct.</P><P>&nbsp;</P><P>4. We can ping other public IP addresses like 8.8.8.8 and even FQDNs like <A href="http://www.facebook.com" target="_blank">www.facebook.com</A>&nbsp;but only traffic to 1.2.3.4 is routed through management interface.,</P><P>&nbsp;</P><P>Any ideas anyone?</P> Mon, 30 Dec 2019 03:42:21 GMT rjdahav163 2019-12-30T03:42:21Z https://live.paloaltonetworks.com/t5/general-topics/routing-driving-me-crazy/m-p/305129#M79286 <P>Hi folks,</P><P>&nbsp;</P><P>here's a weird issue!</P><P>We have one public IP lets say 1.2.3.4.</P><P>Our PA VM 300, can ping to any public IP address other than 1.2.3.4.</P><P>For all other public IP addresses, it sends traffic via default route out of external interface. But for 1.2.3.4, it sends the traffic to our management gateway. Following to be noted:</P><P>1. 1.2.3.4 is our other PA firewall external IP where we were trying to connect using IPSec S2S tunnel. I deleted all the tunnel config since I was afraid that it was somehow interfering with the routing. But that did not solve the problem.</P><P>&nbsp;</P><P>2. From all other devices we can ping 1.2.3.4 and ping is allowed on this interface.</P><P>&nbsp;</P><P>3. Security Policies, NAT and static default route pointing out from external interface to next hop are all correct.</P><P>&nbsp;</P><P>4. We can ping other public IP addresses like 8.8.8.8 and even FQDNs like <A href="http://www.facebook.com" target="_blank">www.facebook.com</A>&nbsp;but only traffic to 1.2.3.4 is routed through management interface.,</P><P>&nbsp;</P><P>Any ideas anyone?</P> Mon, 30 Dec 2019 03:42:21 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-driving-me-crazy/m-p/305129#M79286 rjdahav163 2019-12-30T03:42:21Z https://live.paloaltonetworks.com/t5/general-topics/routing-driving-me-crazy/m-p/305132#M79287 <P>Also,</P><P>&nbsp;</P><P>we tried using</P><P>&nbsp;</P><P>ping host 1.2.3.4</P><P>ping source &lt;our_public_interface_addr&gt; host 1.2.3.4</P><P>&nbsp;</P><P>No luck using both!</P> Mon, 30 Dec 2019 03:47:15 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-driving-me-crazy/m-p/305132#M79287 rjdahav163 2019-12-30T03:47:15Z https://live.paloaltonetworks.com/t5/general-topics/routing-driving-me-crazy/m-p/305139#M79290 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/44973">@rjdahav163</a>&nbsp;</P><P>&nbsp;</P><P>Whenever you try to ping an IP from firewall, by default it will use your mgmt plane and then will forward traffic to gateway configured for mgmt plane. It wont look up firewalls routing table. If you specify source as specific data plane interface, then it will use that interface IP as source and will look into your routing table to forward the traffic.</P><P>&nbsp;</P><P><EM>for ping host 1.2.3.4</EM></P><P><SPAN>It is expected to go through mgmt plane as you have not defined any specific source. Validate&nbsp;if anything is blocking this PING traffic on the gateway of your mgmt plane or on further hops.</SPAN></P><P>&nbsp;</P><P><EM>for ping source &lt;our_public_interface_addr&gt; host 1.2.3.4</EM></P><P><SPAN>This sounds like intrazone traffic and will exit through your external interface. There is chance that you might not notice traffic log for this if log generation is not enabled on default intrazone rule. Also as peer device is PA, validate if you have applied any interface management profile on the external interface of peer firewall which is restricting&nbsp;PING to only certain IP's.</SPAN></P> Mon, 30 Dec 2019 04:19:55 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-driving-me-crazy/m-p/305139#M79290 Rajesh12 2019-12-30T04:19:55Z https://live.paloaltonetworks.com/t5/general-topics/routing-driving-me-crazy/m-p/305253#M79316 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/100390">@Rajesh12</a>&nbsp;</P><P>Everything was configured correctly.</P><P>You know what solved the problem?? - Firewall Restart <span class="lia-unicode-emoji" title=":neutral_face:">😐</span></P> Mon, 30 Dec 2019 21:34:42 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-driving-me-crazy/m-p/305253#M79316 rjdahav163 2019-12-30T21:34:42Z https://live.paloaltonetworks.com/t5/general-topics/routing-driving-me-crazy/m-p/305278#M79323 <P>Mighty restart to the rescue. Glad your issue is resolved <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/44973">@rjdahav163</a>&nbsp;</P> Tue, 31 Dec 2019 01:15:10 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-driving-me-crazy/m-p/305278#M79323 Rajesh12 2019-12-31T01:15:10Z