PA3050 cant ping next hop and has dropped all client traffic heading outbound.

Reply
L2 Linker

PA3050 cant ping next hop and has dropped all client traffic heading outbound.

I have tried a lot, and at this point I think I just must be missing something obvious that for whatever reason wont come to mind. From the PA3050 I can not ping outbound from the public IP. When I run captures, all outbound traffic is in dropped stage. There is no network functionality at all, and I am unable to find the issue.

 

tmp.PNGSecurity Configtmp2.PNGNAT Config

L7 Applicator

Re: PA3050 cant ping next hop and has dropped all client traffic heading outbound.

Assuming that your public IP is 1.2.3.4

If you want to ping Google DNS then command would be:

> ping source 1.2.3.4 host 8.8.8.8

 

As you don't have External zone to External zone rule this traffic will match intrazone-default policy.

By default those policies don't log.

Click on intrazone-default and then override at the bottom.

Open intrazone-default policy and check "Log at Session End" on Actions tab to gain visibility.

Do the same with interzone-default.

 

Do you now see blocked sessions in Traffic log?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L2 Linker

Re: PA3050 cant ping next hop and has dropped all client traffic heading outbound.

I am aware of how to ping, but its just not working. I enabled logging oneven more of the security policies and saw what I have seen before in the traffic tab. Connections seem to never complete and they always age out and application is left incomplete. I am unsure of where to go from here as this issue has left me quite confused. Whether it is an issue with NAT, Security, or some other rule, I need some help sorting this out.

 

Edit: Removed network's public IP and replaced it with a red square.

 

private.png

L7 Applicator

Re: PA3050 cant ping next hop and has dropped all client traffic heading outbound.

Last screenshot shows only sessions from internet towards your public IP.

No log of you initiating sessions from inside to internet or ping from firewall public ip to internet.

 

Also none of those incoming sessions match to your NAT policies.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L2 Linker

Re: PA3050 cant ping next hop and has dropped all client traffic heading outbound.

They dont match mine, but they match intrazone which should let them through, right? Or due to intrazone being intra would it block it from finishing session with the external host? Also sorry, but the results are the same internally as well.

 

Screen Shot 2019-04-03 at 2.24.52 PM.png

L7 Applicator

Re: PA3050 cant ping next hop and has dropped all client traffic heading outbound.

Can you add "packets sent" and "packets received" columns to the view?

Ping and DNS can be identified from first packet that is sent to client to server so from screenshot it is unclear if you receive any traffic back.

Also add "NAT Source IP" and verify if SNAT is applied to outgoing traffic and that you see your public IP in this column.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L2 Linker

Re: PA3050 cant ping next hop and has dropped all client traffic heading outbound.

Src Internal

Screen Shot 2019-04-03 at 3.32.37 PM.png

Src External

 

Screen Shot 2019-04-03 at 2.47.54 PM.png

L7 Applicator

Re: PA3050 cant ping next hop and has dropped all client traffic heading outbound.

Weird. SNAT is applied.

 

Edit: Do you have correct Next Hop IP in virtual router? Can you ping next hop from fw external IP?

 

Can you click on magnifying glass or add egress interface column to verify that traffic is sent towards correct interface?

Under Network > Zones check how if only one outside interface is in External-Zone zone.

 

In cli add filter:

> debug dataplane packet-diag set filter off
> debug dataplane packet-diag clear filter all

> debug dataplane packet-diag set filter match source 8.8.8.8

> debug dataplane packet-diag set filter match destination 8.8.8.8

 

Run following command few times and check if severity is drop anywhere.

It will show what happened to traffic to and from 8.8.8.8 between periods you ran the command (filter delta yes)

> show counter global filter delta yes packet-filter yes

 

Clean up filter

> debug dataplane packet-diag set filter off
> debug dataplane packet-diag clear filter all

 

Last step would be to go with flow basic

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS9CAK

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L2 Linker

Re: PA3050 cant ping next hop and has dropped all client traffic heading outbound.

Ill hold off on the CLI commands just so I can confirm with you, next hop is not reachable from the palo alto even when running "ping source <pub ip on extern zone> host <next hop ip>"

L7 Applicator

Re: PA3050 cant ping next hop and has dropped all client traffic heading outbound.

> ping source <external ip> host <next hop>

> show arp ethernet1/1 (assuming 1/1 is your external interface).

 

Next hop might have ping disabled but IP to mac resolution should still work.

If mac is not there then ask what is correct next hop from your ISP.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!