topic Re: ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that ro in General Topics

ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that router

Michael_Martin — Wed, 18 Nov 2015 01:31:13 GMT

Any help is appreciated...

I have a PA interface connected to a router using a /31. I have static routes with that router as the next hop. From the firewall interface on the /31 interconnect, I can reach all of the destinations I have static routes for. I can't, however reach the router's IP on the directly connected /31. When I try to ping from the PA sourcing its /32 interconnect address, it gives me:

ping: sendmsg: Permission denied

If I ping from the router to the PA from one end of the /31 to the other, I see the incoming ping in the capture, but the PA doesn't reply (capturing receive, transmit, and firewall).

If I ping the PA /31 interface sourcing something beyond the /31 interconnect, I get replies. If I ping from the PA to anything beyond the /31 interconnect, it is successful.

When I run "test routing", I see that the connected route is what is installed in the FIB table for the neighbor's IP.

result: interface ethernet1/22

I have no NAT or security policy yet configured, so the policy being hit is the default intrazone allow any. I can see that in the traffic logs and it shows as allowed.

My interface management profile also allows ping (and other protocols) - but that is evidenced by the fact that I can ping and SSH to the interface from hosts beyond the /31 interconnect.

I know that /31's work fine because I'm using them on other interfaces and have no issue.

The ARP table is also correctly populated on both ends of the connection.

Please help. Thanks!

Re: ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that ro

Michael_Martin — Wed, 18 Nov 2015 01:48:48 GMT

Weird - switched the interconnect to a /30 and it works now.

This is an L3 interface. I have /31's working fine on tunnel.x interfaces.

This is the second inconsistent and/or buggy behavior I've found today.

Re: ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that ro

kiwi — Wed, 18 Nov 2015 09:19:16 GMT

Using /31 was a discussion a while ago :

Using 31-Bit Prefixes on IPv4 Point-to-Point Links

/31 is not supported and a feature request was created. As far as I can see this was not yet introduced.

Please reach out to your local SE so he can add more weight to this request.

Hope this helps,

-Kim.

Re: ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that ro

GencoYilmaz — Tue, 07 Jan 2020 10:31:49 GMT

Apparently this feature is implemented but with a twist. As per https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/layer-3-interfaces/configure-layer-3-interfaces you can set /31 subnet now but

if you have a subnet e.g 192.168.1.34/31 you have to give the higher address i.e 192.168.1.35 to PAN and 192.168.1.34 to

the directly connected device otherwise ping doesn't work.

Documentation is so vague about this detail.

Re: ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that ro

PradeepKumarMall — Sat, 20 Aug 2022 16:52:49 GMT

It works. Just todat 20th-August-2022 i configured it on one of ther Interface on PA-3220.

Initially it was not working as there was two layer2 switches, inline. Even it was not working on tagged sub-interface.

I connected Router and Firewall directly. Manually set the firewall's port speed to 100mbps as Router port speed was 100mbps, not 1Gbps and it worked for me.