Default Route Behavior When Using an Interface Acting as DHCP Client

Default Route Behavior When Using an Interface Acting as DHCP Client

52365
Created On 09/25/18 18:40 PM - Last Modified 06/06/23 07:35 AM


Resolution


Overview

It is common when there is a DHCP assigned IP address, a default route is automatically populated on the Palo Alto Networks firewall. This document will describe which default route would be active if there is more than one defined on the box.

 

Details

Default Behavior

Default route: Whenever a route look up happens, it will first check to match the most specific route in the routing table (/32 being the most specific). If there is no route matching a destination in the routing table, the traffic will be sent to the gateway specified in the default route.

By default, the option to generate a default route for an interface acting as a DHCP client is checked on Palo Alto Networks firewall (Network > Interfaces):

def1.png

 

If checking the routing table, a default route would be shown, though a static default route is not manually added:

defroute.png

 

Two Default Routes

In some cases of migration, when trying to change an interface as a DHCP client, (which was previously assigned with a static IP from the ISP) notice two default routes in the routing table. When there are two default routes with the same metric value, the first installed route will take more preference. If the dynamic default route is added later than the statically defined one, then the static default route will take more preference.

 

As shown in the following example, there can be two default routes, but the first installed route will be seen as 'AS' (active-static) and the other as 'S' (static):

defroute2.png

 

In the above screenshot, the 'AS' default route is the one which was manually added without the next hop specified. This would indicate that the dynamic default route was learned after the static default route was added. In some cases, with similar scenarios where the static default route was installed first, the next hop specified might be incorrect, which would lead to loss of internet access as well.

 

The 'AS' route is the one that will be used by the traffic. Once that is deleted, the 'S' route will become 'AS' and will be used by the traffic to reach internet.

 

Note: There will not be any commit failures with two default routes configured.

 

owner: rrajendran
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQRCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language