03-21-2013 12:49 AM
Hi,
I have a PA500 configured with 2 virtual routers
In both virtual routers I have some zone, interfaces and networks.
For example:
VR1
- Zone1: Network Ethernet1/1.1 - Interface Type Layer3 - Tag 1 - IP 10.168.100.1 / 16
- Zone2: Network Ethernet1/1.2 - Interface Type Layer3 - Tag 2 - IP 192.168.50.1 / 24
VR2
- Zone3: Network Ethernet1/2.1 - Interface Type Layer3 - Tag 3 - IP 192.168.1.1 / 24
- Zone4: Network Ethernet1/2.2 - Interface Type Layer3 - Tag 4 - IP 192.168.2.1 / 24
In both virtual routers I configured static routes for internal routing.
In VR1 I configured
route for 192.168.1.0 / 24 via next VR - VR2
route for 192.168.2.0 / 24 via next VR - VR2
in VR2 I configured
route for 10.168.0.0 / 16 via next VR - VR1
route for 192.168.50.0 / 24 via next VR - VR1
I have a DHCP server on Zone4
DHCP Server IP: 192.168.2.100 mask 255.255.255.0
Gateway: 192.168.2.1
If I configure my PA500 as DHCP relay for Ethernet1/2.1 (DHCP server 192.168.2.100) all works fine
But when I configure DHCP relay for Ethernet1/1.1 (DHCP server 192.168.2.100) I see packet go correctly to DHCP server but they cannot come back.
In monitor I see allowed packets from 10.168.100.1 to 192.168.2.100 - application DHCP
Can DHCP realy works in a virtual routers scenario?
How?
Thanks
Regards
03-21-2013 06:56 PM
Can you look at counters to see if we are dropping the dhcp offer packet from 192.168.2.100 to 10.168.100.1.
So set up a filter which has the src ip of 192.168.2.100 and the destn ip :- 10.168.100.1.
second filter:- src ip:- 10.168.100.1 to destn ip 0.0.0.0
enable it(turn on the filter) and run the following command a couple of times:-
> show counter global filter packet-filter yes delta yes
03-26-2013 06:55 AM
Hi,
here the result:
Global counters:
Elapsed time since last sampling: 166.235 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_sent 6 0 info packet pktproc Packets transmitted
pkt_outstanding 6 0 info packet pktproc Outstanding packet to be transmitted
session_allocated 1 0 info session resource Sessions allocated
session_installed 1 0 info session resource Sessions installed
flow_qos_pkt_enque 3 0 info flow qos Packet enqueued to QoS module
flow_host_pkt_xmt 3 0 info flow mgmt Packets transmitted to control plane
flow_host_service_allow 3 0 info flow mgmt Device management session allowed
appid_proc 1 0 info appid pktproc The number of packets processed by Application identification
dfa_sw 1 0 info dfa pktproc The total number of dfa match using software
aho_sw 3 0 info aho pktproc The total usage of software for AHO
ctd_pkt_slowpath 6 0 info ctd pktproc Packets processed by slowpath
--------------------------------------------------------------------------------
Total counters shown: 11
--------------------------------------------------------------------------------
03-26-2013 08:54 AM
I capture DHCP packets and I see
- DHCP Discover session from 10.168.100.1 to 192.168.2.100
- DHCP Offer Transaction from 192.168.2.100 to 10.168.100.1
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 10.168.100.50 (10.168.100.50)
Next server IP address: 192.168.2.100 (192.168.2.100)
Relay agent IP address: 10.168.100.1 (10.168.100.1)
I think problem is routing between VR2 to VR1
Ping tests:
Ping from a VR1 host (10.168.100.2) to VR2 host 192.168.2.100 works
Ping from a VR1 host (10.168.100.2) to VR2 INTERFACE 192.168.2.1 works
Ping from a VR2 host (192.168.2.100) to VR1 host 10.168.100.2 works
Ping from a VR2 host (192.168.2.100) to VR1 INTERFACE 10.168.100.1 does not work (but I see in monitor it match an allow rule)
03-26-2013 11:35 AM
Can you enable pre-parse match under packet captures and look at the counters again.
03-27-2013 01:14 AM
admin@Firewall1> show counter global filter packet-filter yes delta yes
Global counters:
Elapsed time since last sampling: 139.941 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 191853 1370 info packet pktproc Packets received
pkt_sent 27 0 info packet pktproc Packets transmitted
pkt_outstanding 27 0 info packet pktproc Outstanding packet to be transmitted
pkt_alloc 15 0 info packet resource Packets allocated
session_allocated 2 0 info session resource Sessions allocated
session_installed 2 0 info session resource Sessions installed
flow_rcv_dot1q_tag_err 28 0 drop flow parse Packets dropped: 802.1q tag not configured
flow_no_interface 28 0 drop flow parse Packets dropped: invalid interface
flow_qos_pkt_enque 5 0 info flow qos Packet enqueued to QoS module
flow_host_pkt_rcv 1496 10 info flow mgmt Packets received from control plane
flow_host_pkt_xmt 22 0 info flow mgmt Packets transmitted to control plane
flow_host_service_allow 7 0 info flow mgmt Device management session allowed
appid_proc 2 0 info appid pktproc The number of packets processed by Application identification
dfa_sw 2 0 info dfa pktproc The total number of dfa match using software
aho_sw 5 0 info aho pktproc The total usage of software for AHO
ctd_pkt_slowpath 8 0 info ctd pktproc Packets processed by slowpath
--------------------------------------------------------------------------------
Total counters shown: 16
--------------------------------------------------------------------------------
admin@Firewall1> show counter global filter packet-filter yes delta yes
Global counters:
Elapsed time since last sampling: 8.178 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 10218 1249 info packet pktproc Packets received
pkt_sent 2 0 info packet pktproc Packets transmitted
pkt_outstanding 2 0 info packet pktproc Outstanding packet to be transmitted
flow_rcv_dot1q_tag_err 1 0 drop flow parse Packets dropped: 802.1q tag not configured
flow_no_interface 1 0 drop flow parse Packets dropped: invalid interface
flow_host_pkt_rcv 82 10 info flow mgmt Packets received from control plane
flow_host_pkt_xmt 2 0 info flow mgmt Packets transmitted to control plane
flow_host_service_allow 2 0 info flow mgmt Device management session allowed
--------------------------------------------------------------------------------
Total counters shown: 8
--------------------------------------------------------------------------------
03-27-2013 05:48 AM
Other tests:
I configure a DHCP server responding on interface 10.168.0.0/16 (VR1)
Then I configure DHCP realy from interface 192.168.2.0/24 (VR2) to DHCP Server on VR1
It works!
There is some bug that do not correctly routes packet from new virtual routers to default virtual router IP interfaces?
Problem concern only firewall interfaces IP addresses and not the entire subnet.
03-27-2013 06:24 AM
Probably. Please open a case with support so that we can investigate to see if its a bug.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
