Did something the other day and now i cannot ping/https/ssh to the firewall on its management interface, even though from the firewall i can ping out.
I dont think this is a routing issue as i can do it the other way(out of the device), and the device i am sourcing the pings from is within the same subnet. Also i have checked arp table and mac table and the source device can see the IP and MAC of the Palo
Any ideas? Currently i can get on the Palo as i have managment via another interface
Solved! Go to Solution.
So i have carried out a tcp dump on the mgmt interface and found the following.
If i initiate a ping request FROM the firewall then i see the sent/recieved as expected.
If i initiate from its neighbour then i see the request coming into the firewall, but no response coming back down the mgmt interface
"Did something the other day"
on the firewall or somwhere else?
If firewall check you management logs.
How are you connecting if HTTP/SSH are down too?
on the firewall.
The management interface was on a public IP accessible from the internet, so i changed addressing to an internal range within our private MPLS.
Before i did that change i enabled a management profile on the "inside" interface to the LAN so that if things went funny, like they have, i would still have access.
I am accessing via eth1/1 with a mgmt profile allowing http/ssh for the time being
so is the new IP rotueable is there any other device on the connected switch in the same vlan/subnet that pings ok? Is the DG on the management interface pointing at the correct address on your internal network?
You changed managemet profile to allow only traffic from private addresses on your public interface? But if you're pinging public IP on that interface DNAT will still happen? Packet capture show source of ping from public or private IP?
this is from its neighbour.
ROUTER - SWITCH - FIREWALL
Router is x.x.x.6/29
FW is x.x.x.1/29
DG on the FW mgmt interface is x.x.x.6. I cant see routing being the issue as i can ping OUT from the FW to the Router mgmt subnet IP with no issues. The trace shows its the next hop along.
PAN1> ping host 172.x.x.6
PING 172.x.x.6 (172.x.x.6) 56(84) bytes of data.
64 bytes from 172.x.x.6: icmp_seq=1 ttl=64 time=0.553 ms
64 bytes from 172.x.x.6: icmp_seq=2 ttl=64 time=0.427 ms
--- 172.x.x.6 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.427/0.490/0.553/0.063 ms
PAN1> traceroute host 172.x.x.6
traceroute to 172.x.x.6 (172.x.x.6), 30 hops max, 40 byte packets
1 172.x.x.6 (172.x.x.6) 1.048 ms 1.117 ms *
From Router (172.x.x.6):
172.x.x.0/29 *[Direct/0] 00:20:53
> via ge-1/0/9.996
R1> ping routing-instance xxxxxxxx 172.x.x.1
PING 172.x.x.1 (172.x.x.1): 56 data bytes
1 packets transmitted, 0 packets received, 100% packet loss
No i did not change the management profile to allow only private IP addresses. What i said is that previously the mgmt interface had a public IP assigned to it, and was reachable via the global internet.
I change the IP/mask/DG on the management interface to a spare private subnet, and changed the Router so that the interfacer going to mgmt interface is now within our corp vrf/mpls network.
Captures show source IP is correct (private LAN IP on the router), but the FW does not respond if the ping is initiated from the router. Works fine if initiated from the FW
Disconnect the router and put a laptop directly connected to the management interface.
Test that way to confirm if the ping still fails.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!