- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-27-2016 04:18 AM
Hi Guys,
We are seeing the traffic for the new subnet we added recently are coming as incomplete and need some help to troubleshoot this.
Cheers,
Mykhaylo
05-27-2016 07:43 AM - edited 05-27-2016 08:59 AM
Ok PCAP from the client affected subnet shows only syn packets. Palo Alto PCAP shows syn, syn-ack from the server and that is it.
Another subnet successfully using Internet . Below screen shot:
Subnet 10.94.156.0/24 UN-SUCCESSFUL
Subnet 10.94.159.0/24 SUCCESSFUL
Routing back to the host??
05-27-2016 04:29 AM
Either response doesn't find the way back (routing) or something in front of PA drops these SYN packets.
05-27-2016 04:31 AM
Going to do PCAP. Let you know
05-27-2016 05:32 AM
By mistake clicked on me too.
Anyways :
------------------------
Have you tried assigning that IP address you are using for source NAT on any interface like a secondary ip just for troubleshooting purposes and then try pinging to the next hop using that natted ip address as a source.
Also try sending a G-arp packet after the same to see the resluts
The above step is just to see that Ip has a back and forth reachability from the internet or not
as if that ip itself is not rechable as a source to the next hop the host machines will never be able to reach to the internel using that as a natted source ip address
Also please let me know are you using single VR or 2 virtual routers.
05-27-2016 07:43 AM - edited 05-27-2016 08:59 AM
Ok PCAP from the client affected subnet shows only syn packets. Palo Alto PCAP shows syn, syn-ack from the server and that is it.
Another subnet successfully using Internet . Below screen shot:
Subnet 10.94.156.0/24 UN-SUCCESSFUL
Subnet 10.94.159.0/24 SUCCESSFUL
Routing back to the host??
05-27-2016 09:39 AM - edited 05-27-2016 09:39 AM
Just a quick update. Routing issue. Packet is not getting back to the affected subnet when Palo sends a syn-ack packet. Thank you all
05-29-2016 11:30 PM
Cool. Thougth it might be.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!