Trust interface on vm not coming up in AWS

Reply
L1 Bithead

Trust interface on vm not coming up in AWS

Im doing some testing in AWS with a DEV server on the inside of my vm 100..  I have E1/2 configured as gateway interface with a ENI private IP address we created in AWS.  However, after troubleshooting almost the entire day I cant get it to come up.  Im using 9.0.1 so this could be a bug but Im not sure.  Has anybody every encountered this?

L1 Bithead

Re: Trust interface on vm not coming up in AWS

The intercace not coming up: is that means no traffic flow? If it’s newly added to the VM, please make sure that disable source/ destination check of the ENI.

L1 Bithead

Re: Trust interface on vm not coming up in AWS

I have a better understanding of the problem. In AWS , the way the IP addresses are allocated are very confusing to me. Ive read the PA documentation and I cant find anywhere were it explains how you are supposed to use the Eth0, Eth1, etc and how these map back to the Palo Alto vm's.  I have to understand IP addressing in AWS land and I just cant get my head around it.  If anybody has a knowledge based article that explains this please send.  Also, the vm-series deployment guide IS NOT helpful for this. Yes, I read it

L3 Networker

Re: Trust interface on vm not coming up in AWS

AWS ETH0 = PA Management

AWS ETH1 = PA ETH1/1

AWS ETH2 = PA ETH1/2

AWS ETH3 = PA ETH1/3

 

This assumes you did not perform an interface swap during deployment.  If so Management and ETH1/1 would be reversed so that ETH1/1 is the target of an ELB.

 

L1 Bithead

Re: Trust interface on vm not coming up in AWS

Thank you. unfortunately, that brings up more questions so I think I will stop here

L1 Bithead

Re: Trust interface on vm not coming up in AWS

Can somebody tell me this - if Eth0 and E1/1 are showing different IP addresses in teh AWS instance window, than what I have configured, what course should I take. Currently, E1 is a private ENI and Im pretty sure that wont work as my public IP address. 

L5 Sessionator

Re: Trust interface on vm not coming up in AWS

I may have missed something but it sounds like you did the following

 

1. configured your interfaces in PAN-OS statically

2. Didn't set the AWS ipconfiguration to static

 

If that is the case go back into the VM-Series and change the interfaces to dynamic

For any of the dataplane interfaces only check "add default route" for your untrust interface

 

L1 Bithead

Re: Trust interface on vm not coming up in AWS

Thanks for the help.  The problem I have now is that even though E1/1 (untrust) is configured as DHCP client, Palo Alto shows N/A for the IP address. Under "dynamic IP int status" everything is all zeros.

 

 

L1 Bithead

Re: Trust interface on vm not coming up in AWS

Went ahead and made it static. Seemed to work. Attribute this as a PANOS bug in 9.0.1

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!