- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-18-2018 01:22 AM - edited 07-18-2018 06:58 AM
Here is my basic network topology.
1. Linux Client (PC01)
2. Palo Alto Firewall (PA-VM)
Both configured with 2 interfaces enabled in VirtualBox
Adapter 1: Host-only. This is for out of band management interface
Adapter 2: Internal Network. This is for actual communication between PC01 and PA-VM.
I have no issue at all with Adapter 1 setting. It's working as expected.
user@PC01:~$ ifconfig | grep ad | grep -v 127 eth0 Link encap:Ethernet HWaddr AA:AA:AA:AA:AA:A1 inet addr:192.168.56.110 Bcast:192.168.56.255 Mask:255.255.255.0 eth1 Link encap:Ethernet HWaddr AA:AA:AA:AA:AA:A2 inet addr:10.1.1.110 Bcast:10.1.1.255 Mask:255.255.255.0 user@PC01:~$
Ping using Adapter 1
user@PC01:~$ ping -c 3 192.168.56.254 PING 192.168.56.254 (192.168.56.254): 56 data bytes 64 bytes from 192.168.56.254: seq=0 ttl=64 time=0.770 ms 64 bytes from 192.168.56.254: seq=1 ttl=64 time=0.554 ms 64 bytes from 192.168.56.254: seq=2 ttl=64 time=0.855 ms --- 192.168.56.254 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.554/0.726/0.855 ms user@PC01:~$
Ping using Adapter 2
user@PC01:~$ ping -c 3 10.1.1.254 PING 10.1.1.254 (10.1.1.254): 56 data bytes --- 10.1.1.254 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss user@PC01:~$
tcpdump from Adapter 2 test
tcpdump output from PC01 shows that vm firewall is completely unreachable even though they're (supposed to) connected back to back in the same network segement.
user@PC01:~$ sudo tcpdump -i any net 10.1.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 21:49:38.979460 ARP, Request who-has 10.1.1.254 tell 10.1.1.110, length 28 21:49:39.981377 ARP, Request who-has 10.1.1.254 tell 10.1.1.110, length 28 21:49:40.985748 IP 10.1.1.110 > 10.1.1.110: ICMP host 10.1.1.254 unreachable, length 92 21:49:40.985763 IP 10.1.1.110 > 10.1.1.110: ICMP host 10.1.1.254 unreachable, length 92 21:49:40.985766 IP 10.1.1.110 > 10.1.1.110: ICMP host 10.1.1.254 unreachable, length 92
Incomplete ARP on eth1 shows the packet actually doesn't reach to PA-VM at all
user@PC01:~$ arp -i eth1 ? (10.1.1.254) at <incomplete> on eth1 user@PC01:~$
I also notice that MAC Address on PA-VM (ethernet1/1 = zz:zz:zz:zz:zz:z1) doesn't match with what I have on ARP table PC01 (incomplete). The one that I set on VirtualBox was AA:AA:AA:AA:AA:A2, not ZZ:ZZ:ZZ:ZZ:ZZ:Z1.
admin@PA-VM> show interface all total configured hardware interfaces: 1 name id speed/duplex/state mac address -------------------------------------------------------------------------------- ethernet1/1 16 1000/full/up zz:zz:zz:zz:zz:z1 aggregation groups: 0 total configured logical interfaces: 1 name id vsys zone forwarding tag address ------------------- ----- ---- ---------------- ------------------------ ------ ------------------ ethernet1/1 16 1 N/A 0 10.1.1.254/32 admin@PA-VM>
This explains why I cannot ping using secondary interface (Adapter 2) at all. Seems like there is Layer 1 issue problem.
For the record, I was able to use the same VirtualBox setting on 2 Linux guests. May I know why the same setting doesn't work on PA-VM? Any idea how to make Layer 1 communication successful in VirtualBox?
This is the screenshot of my VirtualBox network setting.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!