topic Re: VM100 Base config CLI only in General Topics

VM100 Base config CLI only

RobC-AU — Tue, 27 Oct 2020 05:14:59 GMT

HI all,

Hope i can find someone amazing out there.

We have a VM100 that can only be configured from CLI as the provider that does not support any way to access a VM or webUI

I spent 4 hours on the phone with Palo Alto support and they could not help me.

Quick Break down.

simple /30 link using vlan 948

Palo Alto ip 172.20.0.82

MPLS ip 172.20.0.81

Here is the base config i set :

set network profiles interface-management-profile Trusted http no https yes ping yes response-pages yes snmp yes ssh yes telnet no
set network profiles interface-management-profile Partner http no https no ping yes response-pages no snmp no ssh no telnet no
set network profiles interface-management-profile Untrusted http no https no ping no response-pages no snmp no ssh no telnet no
set network interface ethernet ethernet1/1 link-state auto link-duplex auto link-speed auto layer3 units ethernet1/1.948 tag 948 interface-management-profile Trusted ip 172.20.0.82/30
set network virutal-router VirutalRouter1 interface ethernet1/1.948
set zone MPLS network layer3 ethernet1/1.948
set deviceconfig system ip-address 10.120.100.254 netmask 255.255.255.0 default-gateway 10.120.100.1 dns-setting servers primary 8.8.8.8 secondary 4.4.4.4

Commit

No replies when i ping

Any help would be great.

Just remmeber no webUi 😞

Re: VM100 Base config CLI only

kiwi — Tue, 27 Oct 2020 13:02:21 GMT

Hi @RobC-AU ,

I have no idea what you've tested with support but I'll go for some of the obvious :

How are you pinging ? Are you pinging from the correct source IP or from your management IP and is a security policy required to allow the ping ?

Do you see your ping egressing the correct interface ? Does the ping arrive at the destination ?

Do you see specific global counters rising that could explain why it's failing ?

Cheers,

-Kiwi.

Re: VM100 Base config CLI only

RobC-AU — Tue, 27 Oct 2020 13:58:43 GMT

Hi Kiwi,

Thanks for your reply.

I tried pining from the conencted interface EG:

Ping source 172.20.0.82 host 172.20.0.81

That way no default interzone transfer rules will block the traffic.

If i do a show coutners i do get Total counter increasing

show counter global filter delta yes

From the managment interface

ping source 10.120.100.254 host 172.20.0.81

I get no counter increase from managment interface.

As for seeing pings at the other side that is inside the Service providers network and they said they cant tell me what traffic is arrive but they can see traffic increasing when i ping.

Currently i have not configured any secuirty policys other then the 3 managment policys.

Any help would be great most the time Palo Alto support knock this kinda of stuff out of the park.

Re: VM100 Base config CLI only

rmfalconer — Tue, 27 Oct 2020 21:20:04 GMT

Does the provider block icmp on their device?
Does the provider see an arp entry for your device? If so, does it match the MPLS facing mac address?
Are you connected to the PA via some virtual console or direct SSH? If you're on a console, can you ping 10.120.100.1 from the management interface?

Re: VM100 Base config CLI only

RobC-AU — Wed, 28 Oct 2020 04:17:25 GMT

Connecting via a virtual console. And not a great one no copy and paste functions 😞

From inside the MPLS network i can ping 172.20.0.81 IP address.

but unable to ping 172.20.0.82

I have configured the network port as a managment port. so i wont be using the gateway of the managment interface.

I made sure that i have a management profile attached to the interface to allow ping and so on.

I have tried tagged and untagged interfaces on the correct vlans. 😞

Re: VM100 Base config CLI only

RobC-AU — Wed, 28 Oct 2020 05:55:09 GMT

Worked it out,

set system setting dpdk-pkt-io off

then reboot

All working now

Thank you all so much for your help