VM100 L3 subinterfaces cannot forward traffic

Reply
Highlighted
L3 Networker

VM100 L3 subinterfaces cannot forward traffic

Hello to everyone,

recently I installed new VM100 on ESXi 5.0 infrastructure, but during initial configuration I noticed that L3 subinterfaces cannot forward any traffic, even I configured virtual router and policy with permit all-any statement between two sub's (zones). On VMware side on distributed switch I created  trunk portgroup with 2 vlan's, and map third interface on VM profile (ethernet 1/2 on VM100) to that port group.  On VM100 I split eth1/2 like L3 on two subinterfaces and bound them IP addresses, vlan tags and Vrouter. MAC address for both subinterfaces is the same and inherited from parent physical Eth1/2 and that is visible on both vlan's (mac tables on external cisco switches). Explicit policy was applied to forward any traffic between this two subinterfaces but nothing are forwarded. From CLI, only I can see that passing between two subinterfaces is ping (#ping source (IP of one subint) host (IP of second subint), but that is inside routing engine. 

If anyone have similar experience, please advise before I open support case.....

HRU
Not applicable

Re: VM100 L3 subinterfaces cannot forward traffic

Did you apply the license? It needs a valid license to fwd traffic.

L3 Networker

Re: VM100 L3 subinterfaces cannot forward traffic

Hi,

yes I applied all necessary licenses, obtain serial number and upgrade to 5.0.1 ver.....

L3 Networker

Re: VM100 L3 subinterfaces cannot forward traffic

problem solved in way that PAN-VM interfaces MAC's need to be nested on VM profile and override VMware generic MAC's  for every particular interface except Mgmt, otherwise it can't forward traffic at all.

L7 Applicator

Re: VM100 L3 subinterfaces cannot forward traffic

ie: you need to enable "promiscuous mode" on the portgroup/v-switch where firewall dataplane interfaces are connected.  VMware has this disabled by default.   

L3 Networker

Re: VM100 L3 subinterfaces cannot forward traffic


Hi,

I already done this (promiscuous mode>accept), but even I do that, interfaces can't forward until I override MAC adresses in VM profile....

L0 Member

Re: VM100 L3 subinterfaces cannot forward traffic

Can we get an example of "nested MACs"?

L6 Presenter

Re: VM100 L3 subinterfaces cannot forward traffic

Wht do you mean by "nesting on VM profile" ?

L7 Applicator

Re: VM100 L3 subinterfaces cannot forward traffic

Get a list of all of the interfaces & MAC addresses from PAN-OS by the cli command "show interfaces all".  Then shutdown the VM-Series firewall "request shutdown system".  Finally, edit the virtual machine guest and take the MAC addresses that were listed in PAN-OS and hard code those into the virtual machine.  Instead of "Automatic" change it to "Manual" and use the PAN-OS provided MAC address.

Keep in mind that "Network adapter 1" is the management interface.  So "Network adapter 2" should map to PAN-OS Ethernet1/1, and go from there.

Capture.PNG

L6 Presenter

Re: VM100 L3 subinterfaces cannot forward traffic

There is something I did not understand here.

when I look from esx ı see ethernet's Mac is automatic that is ok.And there are mac's inside the box.

when I turn on Vm and from cli show interface all

I see different mac addresses which starts with 00:1b:17:xx:xx:xx

is there a way to change this mac ?

I also tried manual but nothing change always same mac comes.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!