Default Gateway from the Palo Alto Firewall is not reachable

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Default Gateway from the Palo Alto Firewall is not reachable

Not applicable

Hello,

I have configured inside, outside and DMZ on the Palo Alto firewall. The outside interface is configured for Global Protect.

The default gateway of Palo Alto firewall is not reachable. But when we connect to that cable to ASA firewall we are able to ping gateway.

Please help us to troubleshooting the issue.

Regards,

Parvez

11 REPLIES 11

L6 Presenter

Hi,

How do you test to reach default gateway ?

you mean ping source OUTSIDE host DGW ?

L6 Presenter

L4 Transporter

ParvezAhmad are you specifying the source of your pings as being the OUTSIDE interface of your PA that is facing your default gateway when you're doing your tests?

Example:

ping source 216.5.4.3 host 216.5.4.1

Also are you sure the PA firewall isn't blocking the pings? Do you have a policy rule defined that says "allow outside to outside" with App-ID ping?

Also as was previously mentioned if the PA has the same IP as the ASA you're testing with, it makes sense to force a gratuitous ARP to make sure the ARP cache on your default gateway device updates with the PA MAC address instead of the ASA MAC address.

Hi,

I tested by using ping host xxx.ccc.xxx.zzzz.

I am doing migration from ASA firewall to Palo Alto firewall. I am using the same cable to connect to Palo Alto outside interface E1/1.

Parvez do

ping source <your outside interface IP on your Palo Alto> host xxx.ccc.xxx.zzz

I believe after 180 seconds. It should remove automatically.

Or Do we remove it by Clear ip arp?

Firewall is not blocking the pings. Since there is policy as you mentioned.

Do you think that Global Protect Configuration can block this ping?

if you don't type source FW uses management interface for the ping command

Parvez: yes the ARP cache will eventually time out

Can you please try "ping source <your outside interface IP on your Palo Alto> host xxx.ccc.xxx.zzz" and let us know your results?

Right, what panos said is true, that's why I'm asking for the source parameter to be added to your ping command ParvezAhmad

L4 Transporter

What egearhart says is true. If you "ping host www.yahoo.com" ,  the default interface chosen is the management interface. If your WAN interface has an IP of 64.64.64.64, use this syntax, ping source 64.64.64.64 host <IP_ADDR_Nexthop_Rtr>. Then  check the arp cache on the ethernet port that corresponds to 64.64.64.64. If you do not see an entry for your ISP next hop then they have probably done a static entry for your IP and MAC in the switch. I have no idea why they do this but it is fairly common in the USA.

SKrall

  • 4305 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!