07-10-2018 01:02 AM
Did something the other day and now i cannot ping/https/ssh to the firewall on its management interface, even though from the firewall i can ping out.
I dont think this is a routing issue as i can do it the other way(out of the device), and the device i am sourcing the pings from is within the same subnet. Also i have checked arp table and mac table and the source device can see the IP and MAC of the Palo
Any ideas? Currently i can get on the Palo as i have managment via another interface
07-10-2018 08:41 AM
On the management interface did you actually setup Permitted IPs to allow the interanl clients?
07-10-2018 01:14 AM
So i have carried out a tcp dump on the mgmt interface and found the following.
If i initiate a ping request FROM the firewall then i see the sent/recieved as expected.
If i initiate from its neighbour then i see the request coming into the firewall, but no response coming back down the mgmt interface
07-10-2018 03:42 AM
"Did something the other day"
on the firewall or somwhere else?
If firewall check you management logs.
How are you connecting if HTTP/SSH are down too?
Rob
07-10-2018 04:52 AM
on the firewall.
The management interface was on a public IP accessible from the internet, so i changed addressing to an internal range within our private MPLS.
Before i did that change i enabled a management profile on the "inside" interface to the LAN so that if things went funny, like they have, i would still have access.
I am accessing via eth1/1 with a mgmt profile allowing http/ssh for the time being
07-10-2018 05:56 AM
so is the new IP rotueable is there any other device on the connected switch in the same vlan/subnet that pings ok? Is the DG on the management interface pointing at the correct address on your internal network?
Rob
07-10-2018 05:57 AM
You changed managemet profile to allow only traffic from private addresses on your public interface? But if you're pinging public IP on that interface DNAT will still happen? Packet capture show source of ping from public or private IP?
07-10-2018 06:55 AM - edited 07-10-2018 06:58 AM
this is from its neighbour.
ROUTER - SWITCH - FIREWALL
Router is x.x.x.6/29
FW is x.x.x.1/29
DG on the FW mgmt interface is x.x.x.6. I cant see routing being the issue as i can ping OUT from the FW to the Router mgmt subnet IP with no issues. The trace shows its the next hop along.
From FW:
PAN1> ping host 172.x.x.6
PING 172.x.x.6 (172.x.x.6) 56(84) bytes of data.
64 bytes from 172.x.x.6: icmp_seq=1 ttl=64 time=0.553 ms
64 bytes from 172.x.x.6: icmp_seq=2 ttl=64 time=0.427 ms
^C
--- 172.x.x.6 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.427/0.490/0.553/0.063 ms
PAN1> traceroute host 172.x.x.6
traceroute to 172.x.x.6 (172.x.x.6), 30 hops max, 40 byte packets
1 172.x.x.6 (172.x.x.6) 1.048 ms 1.117 ms *
From Router (172.x.x.6):
Route:
172.x.x.0/29 *[Direct/0] 00:20:53
> via ge-1/0/9.996
Ping:
R1> ping routing-instance xxxxxxxx 172.x.x.1
PING 172.x.x.1 (172.x.x.1): 56 data bytes
1 packets transmitted, 0 packets received, 100% packet loss
Trace:
Stars **********
07-10-2018 06:58 AM
No i did not change the management profile to allow only private IP addresses. What i said is that previously the mgmt interface had a public IP assigned to it, and was reachable via the global internet.
I change the IP/mask/DG on the management interface to a spare private subnet, and changed the Router so that the interfacer going to mgmt interface is now within our corp vrf/mpls network.
Captures show source IP is correct (private LAN IP on the router), but the FW does not respond if the ping is initiated from the router. Works fine if initiated from the FW
07-10-2018 07:04 AM
Disconnect the router and put a laptop directly connected to the management interface.
Test that way to confirm if the ping still fails.
Rob
07-10-2018 07:15 AM
that will have to wait until next week, as it is 200 miles from me in a DC
07-10-2018 07:20 AM
Any IP restrictions on the Management interface?
07-10-2018 07:35 AM
There are a couple, but i have added in an allowed 0.0.0.0/0 to test. Same issue
07-10-2018 08:41 AM
On the management interface did you actually setup Permitted IPs to allow the interanl clients?
07-10-2018 09:57 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
