Troubleshooting Slowness with Traffic, Management

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Troubleshooting Slowness with Traffic, Management

L1 Bithead

Hi,

 

I am reconfiguring my PA-100 VM, as i am changing the network design, but after i changed the interfaces IP, Router configuraattion, NAT policy, and security policy. I cannot get to internet and in monitroing end reason is "aged-out"

 

From CLI i can ping and traceroute using the management and external interface as source, but i cannot use my internal interface to ping or traceroute.

 

Even i cannot ping the external interface using hte internal interface (after enabling management policy for the external interface)

 

I cannot even ping between the Mgmt Interface and the internal Interface and they are in the same network (default intrazone traffice rule active as well)

 

I would appreciate any direction in troubleshooting the issue.

1 accepted solution

Accepted Solutions

Ok, thanks. You need to configure your Palo to NAT all internal traffic to its External IP (172.16.0.1). In case you don't want to do that, then please add a static route on your router/modem pointing to the Palo external ip address  (172.16.0.1) on how to reach  10.1.1.0/24 subnet.

View solution in original post

6 REPLIES 6

L6 Presenter

For TCP traffic "aged-out" could indicate not completed 3-way handshake.  Few things to confirm:

 

1) Can Palo access the internet over the External interface?

2) Make sure routing is correct

3) Remember, traffic generated by the firewall will not be a subject for policy inspection (unless you source the packet from the interface which is assigned to the security zone).

4) Post the detailed log view of any aged-out session (magnifying glass view)

 

- Palo alto can access internet via external interface and management interface, but not the internal interface.

- I have only one static route for 0.0.0.0/0 that goes to External Interface and the next hope is my modem ip address, metric is et to 10 and unicast is routing table.

- i am sourcing the traffice from the source zone, and

 

attached is the print screen from my details logsScreen Shot 2017-09-05 at 1.39.00 AM.png

You natting your traffic to the 10.1.1.254, from the source ip 10.1.1.60? Why? 

What is your external ip address? You have modem/router, right. Does it know how to get back to the networks behind the FW?

computer ip is 10.1.1.60

internal interface for paloalto is 10.1.1.254

external ip is 172.16.0.1

modem ip is 172.16.0.254

 

from CLI: Ping using the external interface ip as source works

ping source 172.16.0.1 host yahoo.com
PING yahoo.com (98.138.253.109) from 172.16.0.1 : 56(84) bytes of data.
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=1 ttl=55 time=61.1 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=2 ttl=55 time=59.9 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=3 ttl=55 time=68.8 ms

 

but ping using internal ip doesn't work

 

 

Ok, thanks. You need to configure your Palo to NAT all internal traffic to its External IP (172.16.0.1). In case you don't want to do that, then please add a static route on your router/modem pointing to the Palo external ip address  (172.16.0.1) on how to reach  10.1.1.0/24 subnet.

Thanks, this does make sense, i really missed it from the lots of changes i have been through. Thanks again.

  • 1 accepted solution
  • 5519 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!