Palo Alto not loading certain valid sites, why?

Reply
L4 Transporter

Re: Palo Alto not loading certain valid sites, why?

So more and more sites stopped loading and looking at the logs I could see 0 bytes received when I tried to browse any of them.  On a whim I changed the outside IP of the PAs (changed it to 11.11.11.15/26) and that immediately fixed the issue.   So something upstream, ARP related, route or duplicate IP was stopping return traffic from reach the PAs.  

 

Honestly the last thing I would think the problem would be but at this point its fixed.   

L6 Presenter

Re: Palo Alto not loading certain valid sites, why?


@drewdown wrote:

So more and more sites stopped loading and looking at the logs I could see 0 bytes received when I tried to browse any of them.  On a whim I changed the outside IP of the PAs (changed it to 11.11.11.15/26) and that immediately fixed the issue.   So something upstream, ARP related, route or duplicate IP was stopping return traffic from reach the PAs.  

 

Honestly the last thing I would think the problem would be but at this point its fixed.   


 

Take it for what you will, but you really should reach out to TAC and ask them about using a /26 object for your NAT vice the /32.

 

I've accidentally gotten my site on Cox's "blacklist" because I didn't use the correct mask (ie using /26 for an object on a GP setting).  What ended up happening is my 5020 was ARPing out for all the hosts on the network I specified instead of just using the single IP I intended for the interface.

 

While the change of IP might have masked the problem, I don't believe it solved it...Just trying to let you benefit from my past mistakes.

L4 Transporter

Re: Palo Alto not loading certain valid sites, why?

I agree, changing the IP fixed the problem at hand but didn't shed any light on why it was happening.  Will ask tac about the outbound NAT configuration and see what they say.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!