https://live.paloaltonetworks.com/t5/general-topics/vms-cannot-ping-gateway-subinterface-on-palo-firewall/m-p/330133#M83722 <P>Why do not you allocate a dedicated interface to the VLAN14 on Palo? Even if that trunking can work in principle there is still so many places where dot1q can go wrong in a virtualized environment...&nbsp; &nbsp;You need to make sure that VGT is configured correctly (<A href="https://kb.vmware.com/s/article/1003806#vgtPoints" target="_blank">https://kb.vmware.com/s/article/1003806#vgtPoints</A>&nbsp;), you need to make sure Palo uses hypervisor-assigned MAC address (Device &gt; Management &gt; General Settings).</P> Wed, 27 May 2020 17:04:05 GMT Nikolay-Matveev 2020-05-27T17:04:05Z https://live.paloaltonetworks.com/t5/general-topics/vms-cannot-ping-gateway-subinterface-on-palo-firewall/m-p/330121#M83721 <P>Hello,</P><P>&nbsp;</P><P>I am kind a new with PaloAlto. I require some help with a scenario I try to put into practice in my lab.</P><P>&nbsp;</P><P>I have a strange situation in my setup.</P><P>I have deployed a PaloAlto firewall virtual appliance on a ESXi host. And also created 2 Virtual machines.<BR />On PaloAlto, I have created a subinterface and assigned it to vlan 14 and an interface, assigned to Vlan 12. Vlan 12 communicates with the exterior.&nbsp;<BR />The to VMs are assigned to Vlan 14.</P><P>No here is the strange thing. The vms can ping to each other, but they cannot ping the gateway, which is the subinterface I have created on PaloAlto, Vlan 14.<BR />However, the subinterface can be ping-ed if I try from outside the VmWare environment, via Vlan 12, from my phisical computer for example.</P><P>The physical computer runs in a different network, and communicates with the vmware environment via a firewall, physical box. The firewall (physical box) communicates with PaloAlto using Vlan 12.</P><P>&nbsp;</P><P>Attached the config of the PaloAlto interface/subinterface fw and config for the virtual Nics in vmware.<BR />Both port groups in VmWare use the same physical interface, in VmWare.<BR />The interfaces in PaloAlto is configured to respond to PING.</P><P>&nbsp;</P><P>What exactly am I missing in order to allow the VMs to ping the gateway and allow them access towards other networks?</P><P>Any tips much appreciated!</P><P>Thank you in advance.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Palo cfg.PNG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25864i2A1D75866BF3F99F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Palo cfg.PNG" alt="Palo cfg.PNG" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vlan 14.PNG" style="width: 344px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25865iC54E0CFE102B25CB/image-dimensions/344x218/is-moderation-mode/true?v=v2" width="344" height="218" role="button" title="vlan 14.PNG" alt="vlan 14.PNG" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Trunk.PNG" style="width: 341px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25866i303169DB12F498D5/image-dimensions/341x208/is-moderation-mode/true?v=v2" width="341" height="208" role="button" title="Trunk.PNG" alt="Trunk.PNG" /></span></P><P>&nbsp;</P> Wed, 27 May 2020 16:12:14 GMT https://live.paloaltonetworks.com/t5/general-topics/vms-cannot-ping-gateway-subinterface-on-palo-firewall/m-p/330121#M83721 alexwi 2020-05-27T16:12:14Z https://live.paloaltonetworks.com/t5/general-topics/vms-cannot-ping-gateway-subinterface-on-palo-firewall/m-p/330133#M83722 <P>Why do not you allocate a dedicated interface to the VLAN14 on Palo? Even if that trunking can work in principle there is still so many places where dot1q can go wrong in a virtualized environment...&nbsp; &nbsp;You need to make sure that VGT is configured correctly (<A href="https://kb.vmware.com/s/article/1003806#vgtPoints" target="_blank">https://kb.vmware.com/s/article/1003806#vgtPoints</A>&nbsp;), you need to make sure Palo uses hypervisor-assigned MAC address (Device &gt; Management &gt; General Settings).</P> Wed, 27 May 2020 17:04:05 GMT https://live.paloaltonetworks.com/t5/general-topics/vms-cannot-ping-gateway-subinterface-on-palo-firewall/m-p/330133#M83722 Nikolay-Matveev 2020-05-27T17:04:05Z https://live.paloaltonetworks.com/t5/general-topics/vms-cannot-ping-gateway-subinterface-on-palo-firewall/m-p/330145#M83726 <P>Hello Nikolay,</P><P>Doing as you have suggested, works fine. Thank you!</P><P>I am very curious in trying the other alternative as well.&nbsp;</P><P>I did not properly configure the VGT. So this must be the issue.</P><P>Thank you again for your quick respons.</P><P>Best regards!</P> Wed, 27 May 2020 18:04:14 GMT https://live.paloaltonetworks.com/t5/general-topics/vms-cannot-ping-gateway-subinterface-on-palo-firewall/m-p/330145#M83726 alexwi 2020-05-27T18:04:14Z