Object address with Security rule stops VM from allocating IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Object address with Security rule stops VM from allocating IP

L3 Networker

I have a Esxi Server with a particular VM machine on it. If I reboot that machine it does not give it the configured IP address that I have set it for. If I try go in and manually tell it to use the IP address it is assigned it tells me that this IP address is already in use.

If I go and change the Object IP address in Palo Alto Firewall then it allows me to set this IP address. I can then set the Object IP back after the VM has taken that IP which will then get all the NAT and security rules working but it is annoying that every time we reboot that VM it seems to happen.

I have tried putting in a static ARP entry for this, but still no joy.

Any suggestions?

4 REPLIES 4

L3 Networker

Sounds like the Palo Alto box is doing proxy-arp for your IP.

Do you have a NAT rule where the IP in question is the original destination address within the rule?

If so, is the source Zone of the NAT rule set to something that does NOT include the Zone where the server is?  (I think I have my logic the right way round on this one!)

You are correct sir.

I have 2 NAT rules for this server

1 that says all external traffic going to a particular IP (the one that the A record points to on our ISP DNS), using port 49610( which I have created as a service for this app) gets destination address translated to the server internal IP on port 443.

2nd rule which says all internal traffic on that service/port and that server, gets destination address translated to the server internal IP and 443.

This is because when that server sends out links to the files within, it adds that 49610 port, and the rule was made in mind with making the links work both externally and internally without having to get internal people to remove the port.

Looks like the second rule that is causing your problems.  Are the internal clients in the same Zone as your server?  What are the Source and Dest Zones in your 2nd NAT rule?

There were no zones set. Let me try changing it so that the Source zones are different from the destination zone and see how that works.

  • 1955 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!