ARP Proxy didn't work after PanOS upgrade from 10.1.6 to 11.1.2-h3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

ARP Proxy didn't work after PanOS upgrade from 10.1.6 to 11.1.2-h3

L2 Linker

Short description:  We upgraded to 11.1.2-h3 on an HA pair of PA-820s last night, and the NAT/ARP Proxy that was functioning on PanOS 10.1.6 is no longer functioning.

 

We would really prefer a simple solution on 11.1.2-h3 rather than going through a 5 hour downgrade that we would still need to upgrade by the November 18th drop dead date of Advisory: https://live.paloaltonetworks.com/t5/customer-advisories/update-to-additional-pan-os-certificate-exp... 

 

Is there something we can do like adding the Interface IP to the NAT rule, or setting an explicit ARP Proxy instead of just relying on PanOS to figure it out?

One possible complication is that our interface ae1.xxxx has two IP addresses.


TL;DR:

 

- Short Term we have a workaround by talking the Network team into temporarily adding TWELVE static ARP entries.

- This used to work until last night.

- The only changes we made to the firewall (PA-820) were to upgrade from 10.1.6 to 10.2.6-h3 to 11.0.4-h2 to 11.1.2-h3.

- The upgrades took 5 hours (did I mention PA-820?) so I REALLY don't want to have to downgrade, especially since 10.1.6 doesn't have the Device Certificate patches, so we would need to upgrade to SOMETHING before November.

TIA for any insight!

Eric Troldahl

Firewall Lead, Michigan State University.

1 accepted solution

Accepted Solutions

The range defined for NAT was directly attached to an interface.  It turns out that the object that was used to define the interface IP on one of the two subnets on the VLAN had a /32 mask, so none of the other IPs on that Subnet were getting ARP resolution.  We currently changed to a hardcoded IP/mask (that can cause a "Ghost"), but we are discussing an architecture naming convention change that would require separate objects for Interface addresses, using a name like "vlan3100-subnet-192-168-1-0-interface" so no one would use it except in a context that needs to change if the IP or VLAN changes. 

NOTE:  We have a very large network with not just RFC1918 private IPs, but also a public /13 range, and some of the RFC 1918 addresses need to NAT to the public range even within the campus to be allowed to route from Server and DMZ zones out to VPN tunnels, local Untrust zones, and even Internet Untrust ranges.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@Eric_Troldahl,

Have you reviewed https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGZCA0 and attempted any of the standard fixes to this issue? Since you don't detail how your NAT policies were configured previously or if you have the secondary addresses on the interfaces directly it's a bit difficult to troubleshoot what could have possibly changed in your upgrade.

I personally just prefer to make routes whenever possible instead of configuring the address on the interface as a secondary address, but that also works perfectly fine. Just gets a bit tedious if working with a lot of addresses.

The range defined for NAT was directly attached to an interface.  It turns out that the object that was used to define the interface IP on one of the two subnets on the VLAN had a /32 mask, so none of the other IPs on that Subnet were getting ARP resolution.  We currently changed to a hardcoded IP/mask (that can cause a "Ghost"), but we are discussing an architecture naming convention change that would require separate objects for Interface addresses, using a name like "vlan3100-subnet-192-168-1-0-interface" so no one would use it except in a context that needs to change if the IP or VLAN changes. 

NOTE:  We have a very large network with not just RFC1918 private IPs, but also a public /13 range, and some of the RFC 1918 addresses need to NAT to the public range even within the campus to be allowed to route from Server and DMZ zones out to VPN tunnels, local Untrust zones, and even Internet Untrust ranges.

  • 1 accepted solution
  • 898 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!