Cannot ping INTO mgmt interface, but can ping out?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cannot ping INTO mgmt interface, but can ping out?

L3 Networker

Did something the other day and now i cannot ping/https/ssh to the firewall on its management interface, even though from the firewall i can ping out.

 

I dont think this is a routing issue as i can do it the other way(out of the device), and the device i am sourcing the pings from is within the same subnet. Also i have checked arp table and mac table and the source device can see the IP and MAC of the Palo

 

Any ideas? Currently i can get on the Palo as i have managment via another interface

1 accepted solution

Accepted Solutions

@welly_59,

On the management interface did you actually setup Permitted IPs to allow the interanl clients? 

View solution in original post

13 REPLIES 13

L3 Networker

So i have carried out a tcp dump on the mgmt interface and found the following.

 

If i initiate a ping request FROM the firewall then i see the sent/recieved as expected.

 

If i initiate from its neighbour then i see the request coming into the firewall, but no response coming back down the mgmt interface

"Did something the other day"

 

on the firewall or somwhere else?

 

If firewall check you management logs.

 

How are you connecting if HTTP/SSH are down too?

 

Rob

 

on the firewall.

 

The management interface was on a public IP accessible from the internet, so i changed addressing to an internal range within our private MPLS.

 

Before i did that change i enabled a management profile on the "inside" interface to the LAN so that if things went funny, like they have, i would still have access.

 

I am accessing via eth1/1 with a mgmt profile allowing http/ssh for the time being

so is the new IP rotueable is there any other device on the connected switch in the same vlan/subnet that pings ok? Is the DG on the management interface pointing at the correct address on your internal network?

 

Rob

You changed managemet profile to allow only traffic from private addresses on your public interface? But if you're pinging public IP on that interface DNAT will still happen? Packet capture show source of ping from public or private IP?

this is from its neighbour.

 

ROUTER - SWITCH - FIREWALL

 

Router is x.x.x.6/29

FW is x.x.x.1/29

 

DG on the FW mgmt interface is x.x.x.6. I cant see routing being the issue as i can ping OUT from the FW to the Router mgmt subnet IP with no issues. The trace shows its the next hop along.

 

From FW:

PAN1> ping host 172.x.x.6
PING 172.x.x.6 (172.x.x.6) 56(84) bytes of data.
64 bytes from 172.x.x.6: icmp_seq=1 ttl=64 time=0.553 ms
64 bytes from 172.x.x.6: icmp_seq=2 ttl=64 time=0.427 ms
^C
--- 172.x.x.6 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.427/0.490/0.553/0.063 ms
PAN1> traceroute host 172.x.x.6
traceroute to 172.x.x.6 (172.x.x.6), 30 hops max, 40 byte packets
1 172.x.x.6 (172.x.x.6) 1.048 ms 1.117 ms *

 

From Router (172.x.x.6):

Route:

172.x.x.0/29 *[Direct/0] 00:20:53
> via ge-1/0/9.996

Ping:

R1> ping routing-instance xxxxxxxx 172.x.x.1
PING 172.x.x.1 (172.x.x.1): 56 data bytes

1 packets transmitted, 0 packets received, 100% packet loss

Trace:

Stars **********

No i did not change the management profile to allow only private IP addresses. What i said is that previously the mgmt interface had a public IP assigned to it, and was reachable via the global internet.

 

I change the IP/mask/DG on the management interface to a spare private subnet, and changed the Router so that the interfacer going to mgmt interface is now within our corp vrf/mpls network.

 

Captures show source IP is correct (private LAN IP on the router), but the FW does not respond if the ping is initiated from the router. Works fine if initiated from the FW

Disconnect the router and put a laptop directly connected to the management interface.

 

Test that way to confirm if the ping still fails.

 

Rob

 

 

that will have to wait until next week, as it is 200 miles from me in a DC

Any IP restrictions on the  Management interface?

There are a couple, but i have added in an allowed 0.0.0.0/0 to test. Same issue

@welly_59,

On the management interface did you actually setup Permitted IPs to allow the interanl clients? 

Just realised that palo ignores 0.0.0.0/0 within the permitted up list. I removed the list of permitted up addresses and now it’s working as expected
  • 1 accepted solution
  • 12297 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!