PA-VM network setting in VirtualBox?

Reply
L1 Bithead

PA-VM network setting in VirtualBox?

Here is my basic network topology.

1. Linux Client (PC01)
2. Palo Alto Firewall (PA-VM)

 

Traffic Flow.jpg


Both configured with 2 interfaces enabled in VirtualBox


Adapter 1: Host-only. This is for out of band management interface
Adapter 2: Internal Network. This is for actual communication between PC01 and PA-VM.

I have no issue at all with Adapter 1 setting. It's working as expected.

 

user@PC01:~$ ifconfig | grep ad | grep -v 127
eth0      Link encap:Ethernet  HWaddr AA:AA:AA:AA:AA:A1 
          inet addr:192.168.56.110  Bcast:192.168.56.255  Mask:255.255.255.0
eth1      Link encap:Ethernet  HWaddr AA:AA:AA:AA:AA:A2
          inet addr:10.1.1.110  Bcast:10.1.1.255  Mask:255.255.255.0
user@PC01:~$ 

 

Ping using Adapter 1

 

user@PC01:~$ ping -c 3 192.168.56.254
PING 192.168.56.254 (192.168.56.254): 56 data bytes
64 bytes from 192.168.56.254: seq=0 ttl=64 time=0.770 ms
64 bytes from 192.168.56.254: seq=1 ttl=64 time=0.554 ms
64 bytes from 192.168.56.254: seq=2 ttl=64 time=0.855 ms

--- 192.168.56.254 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.554/0.726/0.855 ms
user@PC01:~$ 

Ping using Adapter 2

 

user@PC01:~$ ping -c 3 10.1.1.254    
PING 10.1.1.254 (10.1.1.254): 56 data bytes

--- 10.1.1.254 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
user@PC01:~$ 

tcpdump from Adapter 2 test

 

tcpdump output from PC01 shows that vm firewall is completely unreachable even though they're (supposed to) connected back to back in the same network segement.

 

user@PC01:~$ sudo tcpdump -i any net 10.1.1 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
21:49:38.979460 ARP, Request who-has 10.1.1.254 tell 10.1.1.110, length 28
21:49:39.981377 ARP, Request who-has 10.1.1.254 tell 10.1.1.110, length 28
21:49:40.985748 IP 10.1.1.110 > 10.1.1.110: ICMP host 10.1.1.254 unreachable, length 92
21:49:40.985763 IP 10.1.1.110 > 10.1.1.110: ICMP host 10.1.1.254 unreachable, length 92
21:49:40.985766 IP 10.1.1.110 > 10.1.1.110: ICMP host 10.1.1.254 unreachable, length 92

Incomplete ARP on eth1 shows the packet actually doesn't reach to PA-VM at all

 

user@PC01:~$ arp -i eth1
? (10.1.1.254) at <incomplete>  on eth1
user@PC01:~$ 

I also notice that MAC Address on PA-VM (ethernet1/1 = zz:zz:zz:zz:zz:z1) doesn't match with what I have on ARP table PC01 (incomplete). The one that I set on VirtualBox was AA:AA:AA:AA:AA:A2, not ZZ:ZZ:ZZ:ZZ:ZZ:Z1.

 

admin@PA-VM> show interface all 

total configured hardware interfaces: 1

name                    id    speed/duplex/state        mac address       
--------------------------------------------------------------------------------
ethernet1/1             16    1000/full/up              zz:zz:zz:zz:zz:z1 

aggregation groups: 0


total configured logical interfaces: 1

name                id    vsys zone             forwarding               tag    address           
                              
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1         16    1                     N/A                      0      10.1.1.254/32     

admin@PA-VM> 

This explains why I cannot ping using secondary interface (Adapter 2) at all. Seems like there is Layer 1 issue problem.

 

For the record, I was able to use the same VirtualBox setting on 2 Linux guests. May I know why the same setting doesn't work on PA-VM? Any idea how to make Layer 1 communication successful in VirtualBox?

 

This is the screenshot of my VirtualBox network setting.

Network.jpgAdapter 1.jpgAdapter 2.jpg

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!