https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340073#M85370 <P>Hi,</P><P>&nbsp;</P><P>I am working on a Palo Alto Networks Firewall migration project. I exported and imported the configuration with a few errors that I fixed and when migrating from the old to the new PA-3220 firewalls. All internal communications wtih LDAP and other servers are working and the routing protocols are coming up internally and externally. I can also ping the default gateway of ISP from the outside interface of the new Firewall, but the internet is totally down. I checked the traffic under monitor and found that all the packets are aging-out although they are all allowed.</P><P>&nbsp;</P><P>I do have default gateway setup and a default route towards the gateway, I checked the arp and routing table looks fine. What is the issue? anybody please?</P> Wed, 22 Jul 2020 16:11:59 GMT PAN-Bariz2020 2020-07-22T16:11:59Z https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340073#M85370 <P>Hi,</P><P>&nbsp;</P><P>I am working on a Palo Alto Networks Firewall migration project. I exported and imported the configuration with a few errors that I fixed and when migrating from the old to the new PA-3220 firewalls. All internal communications wtih LDAP and other servers are working and the routing protocols are coming up internally and externally. I can also ping the default gateway of ISP from the outside interface of the new Firewall, but the internet is totally down. I checked the traffic under monitor and found that all the packets are aging-out although they are all allowed.</P><P>&nbsp;</P><P>I do have default gateway setup and a default route towards the gateway, I checked the arp and routing table looks fine. What is the issue? anybody please?</P> Wed, 22 Jul 2020 16:11:59 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340073#M85370 PAN-Bariz2020 2020-07-22T16:11:59Z https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340080#M85373 <P>Did you check your Source NAT policy to make sure that the packets are getting the correct Public IP Address before hitting the Internet?</P> Wed, 22 Jul 2020 16:25:52 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340080#M85373 jwolach 2020-07-22T16:25:52Z https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340088#M85375 <P>Yes! Security Policy and NAT rules are working according to the monitor tab. I see packet send but 0 on the packets received.</P> Wed, 22 Jul 2020 16:45:46 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340088#M85375 PAN-Bariz2020 2020-07-22T16:45:46Z https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340425#M85444 <P>Hello,</P> <P>Hopefully you have this corrected already. However unplug the external interface for a few minutes to see if the ISP can clear their ARP. Or just call them and see if they see traffic and it they can clear the arp tables.</P> <P>&nbsp;</P> <P>Regards,</P> Thu, 23 Jul 2020 22:00:58 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340425#M85444 OtakarKlier 2020-07-23T22:00:58Z https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340426#M85445 <P>I did [show arp all] and found the ISP router gateway ip address has a proper arp cache. I also did a traceroute, but found a couple of hopes after the gateway is not being properly resolved, instead of IP address there was *** which indicates arp cache issue at that nodes. It is still not solved, i am following that closely.</P> Thu, 23 Jul 2020 22:04:19 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340426#M85445 PAN-Bariz2020 2020-07-23T22:04:19Z https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340522#M85457 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/148301">@PAN-Bariz2020</a>Check under Source NAT rule if translation type is selected as <STRONG>Dynamic IP And Port </STRONG>but not Dynamic IP only. This will create issue if other option is selected.</P><P>&nbsp;</P><P>Mayur</P> Fri, 24 Jul 2020 14:20:47 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340522#M85457 SutareMayur 2020-07-24T14:20:47Z https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340530#M85460 <P><STRONG>Dynamic IP And Port</STRONG> is selection, some of them also have bi-directional option checked.</P> Fri, 24 Jul 2020 15:31:29 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340530#M85460 PAN-Bariz2020 2020-07-24T15:31:29Z https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340740#M85491 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/148301">@PAN-Bariz2020</a>&nbsp;</P> <P>&nbsp;</P> <P>1&gt;Did&nbsp; you check the traffic logs that traffic is getting natted to public IP address ?</P> <P>2&gt;You do not need bi directional option checked if you are only allowing users to access the Internet using Outside Interface IP.</P> <P>3&gt;Also check which rule it hits when you can successfully ping and compare it with non working security rule.</P> <P>4&gt;Use the test nat command</P> <P>&nbsp;</P> <P>test nat-policy-match protocol 6 from L3-Trust to L3-Untrust source ip&nbsp; destination ip&nbsp; destination-port 443</P> <P>&nbsp;</P> <P>Regards</P> <P>&nbsp;</P> Mon, 27 Jul 2020 00:10:15 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/340740#M85491 MP18 2020-07-27T00:10:15Z https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/341511#M85661 <P>Thank You.</P><P>&nbsp;</P><P>I had performed those steps on the first failure and did not found any issue. I believe there might be a VRF issue from the ISP site. I will be able to get back on this next week.</P> Thu, 30 Jul 2020 20:07:39 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/341511#M85661 PAN-Bariz2020 2020-07-30T20:07:39Z https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/341521#M85663 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/148301">@PAN-Bariz2020</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for the update.</P> <P>&nbsp;</P> <P>Regards</P> Thu, 30 Jul 2020 21:25:17 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/341521#M85663 MP18 2020-07-30T21:25:17Z https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/342116#M85778 <P>Hi All,</P><P>It was nothing but ARP cache from the Service Provider side, There was another switch between the Palo Alto Networks Firewall and ISP router. The ARP cache that i was getting on the firewall was from the switch not from the actual ISP router. The issue immediately got fixed upon ARP cache clear.</P> Wed, 05 Aug 2020 00:14:27 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-outage-occurs-after-migration-all-packets-aging-out/m-p/342116#M85778 PAN-Bariz2020 2020-08-05T00:14:27Z