Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

Reply
Highlighted
L1 Bithead

Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

Hello, currently doing a POC for Transit  VPC setup in AWS with VM-Series firewalls and noticed that default route is not propagated on subscriber VPC routing tables. All the other subnets are propagating. Followed https://www.paloaltonetworks.com/resources/guides/aws-transit-vpc-model-deployment-guide as is but I'm using PAN-OS 9.1 and in the guide they have used 8.1.4. Any idea what could I have been missing?


show routing protocol bgp rib-out  command doesn't show the default (0.0.0.0/0) either.

 


Accepted Solutions
Highlighted
L3 Networker

Re: Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

I labbed it with a single firewall running 9.1 and the 0/0 exported to the VPC route table as expected.  Please post screenshots of your VR BGP settings and AWS route table for review.

 

Where is your 0/0 route configured in your firewall?  Do you have a static to the first IP in the subnet or do you have DHCP configured to Automatically create the default route?

View solution in original post


All Replies
Highlighted
L3 Networker

Re: Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

There is an additional step necessary to export the 0/0 route.  Please have a look at this article.  

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltUCAS

Highlighted
L1 Bithead

Re: Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

Spoiler
 

@jmeurer  Just tried that and it didn't work.It removed more specific routes which were propagated before.

Highlighted
L3 Networker

Re: Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

Do you have an existing 0/0 static in the VPC route table?  We will not override that route.

Tags (1)
Highlighted
L1 Bithead

Re: Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

@jmeurer Show routing protocol bgp rib-out doesn't even show 0/0 default route. Pan-os 9.1 has additional setting which I'm missing. I have deployed similiar setup with 8.1.4 (later upgraded to 9.0.6) and it works as expected.

Highlighted
L3 Networker

Re: Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

at this point, it might be good to get a TAC case open.  I have not tried Transit VPC with 9.1.  

I would be curious, if you add a static route in the vpc pointing to the vgw, does the traffic flow?

Highlighted
L4 Transporter

Re: Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

@jmeurer Transit VPC is community supported not TAC supported.

 

For additional clarification:

As this is related to route propagation with the VM-Series firewall it would be TAC supported for assistance within the PA-VM. 

 

Issues related to deployment and automation for transit Arch would open issue in github.

For assistance open issue in github.

https://github.com/PaloAltoNetworks/aws-transit-vpc

 

 

 

Highlighted
L3 Networker

Re: Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

I labbed it with a single firewall running 9.1 and the 0/0 exported to the VPC route table as expected.  Please post screenshots of your VR BGP settings and AWS route table for review.

 

Where is your 0/0 route configured in your firewall?  Do you have a static to the first IP in the subnet or do you have DHCP configured to Automatically create the default route?

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!