topic Re: Ping Packets dropped: forwarded to different zone in General Topics https://live.paloaltonetworks.com/t5/general-topics/ping-packets-dropped-forwarded-to-different-zone/m-p/374824#M89120 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.PNG" style="width: 890px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29176iA15271DC4555DA6E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.PNG" alt="Capture.PNG" /></span></P><P>This the first topology previous post didn't show correctly.</P> Thu, 17 Dec 2020 07:33:55 GMT Susan_Avxt 2020-12-17T07:33:55Z Ping Packets dropped: forwarded to different zone https://live.paloaltonetworks.com/t5/general-topics/ping-packets-dropped-forwarded-to-different-zone/m-p/374818#M89119 <DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P><P>1. All the units in above diagram are AWS EC2s. Pinging from Ubuntu10_20_61_16</P><P>&nbsp; &nbsp; to Ubuntu10_60_0_100 failed due to echo reply dropped on PA-VM.</P><P>&nbsp;</P><P><EM>admin@PA-VM&gt; show counter global filter packet-filter yes delta yes severity drop</EM></P><P><EM>Global counters:</EM></P><P><EM>Elapsed time since last sampling: 1.16&nbsp; seconds</EM></P><P><EM>name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; value&nbsp;&nbsp;&nbsp;&nbsp; rate severity&nbsp; category&nbsp; aspect&nbsp;&nbsp;&nbsp; description</EM></P><P><EM>--------------------------------------------------------------------------------</EM></P><P><EM>flow_fwd_zonechange&nbsp;&nbsp;&nbsp; 1&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;0 drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; forward&nbsp;&nbsp; Packets dropped: forwarded to different zone</EM></P><P><EM>--------------------------------------------------------------------------------</EM></P><P><EM>Total counters shown: 1</EM></P><P>&nbsp;</P><P>2. Following is the routing info.</P><P>&nbsp;</P><P><EM>admin@PA-VM&gt; show routing route</EM></P><P><EM>flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,</EM></P><P><EM>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast</EM></P><P><EM>VIRTUAL ROUTER: vr1 (id 1)</EM></P><P><EM>&nbsp; ==========</EM></P><P><EM>destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nexthop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; metric flags&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; age&nbsp;&nbsp; interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; next-AS</EM></P><P><EM>0.0.0.0/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.20.10.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10&nbsp;&nbsp;&nbsp;&nbsp; A S&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ethernet1/1</EM></P><P><EM>10.20.10.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.20.10.50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; A C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ethernet1/1</EM></P><P><EM>10.20.10.50/32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; A H</EM></P><P><EM>10.20.61.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.20.61.195&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; A C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ethernet1/2</EM></P><P><EM>10.20.61.195/32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; A H</EM></P><P><EM>10.60.0.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10&nbsp;&nbsp;&nbsp;&nbsp; A S&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel.1</EM></P><P><EM>total routes shown: 6</EM></P><P>&nbsp;</P><P>3. Following is the Zones info</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture1.PNG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29172i780C700BB0280392/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture1.PNG" alt="Capture1.PNG" /></span></P><P>4. Following is the security policies info.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Susan_Avxt_0-1608187681970.png" style="width: 924px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29169i62C1621D346FC191/image-dimensions/924x359/is-moderation-mode/true?v=v2" width="924" height="359" role="button" title="Susan_Avxt_0-1608187681970.png" alt="Susan_Avxt_0-1608187681970.png" /></span></P><P>5. From the log below, we can see when ping from 10.20.61.16 to 10.60.0.100. it is from Pub-zone to VPN zone. ping packet goes from e1/2 to e1/1, then e1/1 goes to tunnel.1. But seems ping reply didn't take path, tunnel.1--&gt;e1/1---&gt;e1/2.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture2.PNG" style="width: 887px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29173iCA09B9BAE36F2DDA/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture2.PNG" alt="Capture2.PNG" /></span></P><P>&nbsp;</P><P>admin@PA-VM&gt; test routing fib-lookup ip 10.20.61.16 virtual-router vr1</P><P>--------------------------------------------------------------------------------<BR />runtime route lookup<BR />--------------------------------------------------------------------------------<BR />virtual-router: vr1<BR />destination: 10.20.61.16<BR />result:<BR />interface ethernet1/2, source 10.20.61.195<BR />--------------------------------------------------------------------------------</P><P>6. Guess ping reply didn't&nbsp; go the right path. So got "Packets dropped: forwarded to different zone".</P><P>7. There is no NAT rules on PA-VM.</P><P>How to fix this issue? Thanks for sharing your thoughts!</P> Thu, 17 Dec 2020 07:31:31 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-packets-dropped-forwarded-to-different-zone/m-p/374818#M89119 Susan_Avxt 2020-12-17T07:31:31Z Re: Ping Packets dropped: forwarded to different zone https://live.paloaltonetworks.com/t5/general-topics/ping-packets-dropped-forwarded-to-different-zone/m-p/374824#M89120 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.PNG" style="width: 890px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29176iA15271DC4555DA6E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.PNG" alt="Capture.PNG" /></span></P><P>This the first topology previous post didn't show correctly.</P> Thu, 17 Dec 2020 07:33:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-packets-dropped-forwarded-to-different-zone/m-p/374824#M89120 Susan_Avxt 2020-12-17T07:33:55Z