easy question, routing problem

Hello,

thank you for your response.

>>So you have a setup like:

>>R1:

>>int1 172.16.10.0/24 (172.16.10.10)

>>int2 172.16.20.0/24 (172.16.20.10)

>>R2:

>>int1 172.16.20.0/24 (172.16.20.11)

>>How come your PA only have one interface setup?

It's just for the test. Normaly there is a additional pppoe interface.

>>Also if R1-int2 is attached to R2-int1 (either directly or through a switch) you wont need to setup any routing in R1 for it to send the packets the correct way. However R2 will need either a default route or a route for 172.16.10.0/24 which points back to >>the ip of R1-int2.

On R1 is not routing defined. On R2 I have defined a virtual router like this: destination - 172.16.10.0/24, interface - ethernet1, next hop - ip address 172.16.20.10

>>Also if you want the PA to respond to pings you need to create a management-profile where you select only "ping" and attach this management-profile to the interface with the particular subnet (R2-int1 in this case if the above list is correct).

I allowed the ping on the interface on R2, which I can check from the command line interface from R1. Here I can ping the R2. It must be a routing problem on the R2.

For your understanding, we want to do the following:

A pc on R1 int1 should have internet access. The R2 should make the access over pppoe. Therefore I need the backrouting from R2 int1 to R1 int1.

This is an existing network and at the moment we make the internet access with a bintec router, which should be replaced with the palo alto.

Regards

Joachim

1) Could you paste the "show ip route" of R1 aswell as "show routing" from R2 (login through CLI or SSH)?

2) Could you in R2 verify by looking at the traffic log that the ping from client at R1 arrives to your device?

As debug setup a rule in R2 which is similar to:

srczone: internal

dstzone: internal

srcip: <ip of client at R1>

dstip: 172.16.20.11

appid: any

service: any

options: log on session start, log on session end

if this is a live equipment then set action to deny otherwise, if possible, set it to allow (just during the debug - dont forget to remove this rule once you are done).

Then when you send a ping from client at R1 you should see this hit the R2 in its traffic logs.

Im thinking if the management profile only allows srcip from the same subnet as the interface is using (which could explain why a ping from R1 towards R2 works but not when client at R1 pings through R1).

A further debug is to setup a tcpdump on the link between R1 and R2 to verify that the icmp echo request actually do leave R1 and that the R2 responds with an icmp echo respond.

You could have some blocking ACL in R1 or that the client itself at R1 doesnt have its default route set to R1 but only a static route for this subnet (172.16.10.0/24) or for that matter a local firewall on the client which prohibits the client to send or receive these icmp packets.

>>1) Could you paste the "show ip route" of R1 aswell as "show routing" from R2 (login through CLI or SSH)?

R1

Destination IP      Address Netmask      Gateway           Interface           Metric           Type      Protocol  

172.16.10.0           255.255.255.0          172.16.10.10     LAN_EN1-0           0              Direct     Local  

172.16.20.0           255.255.255.0          172.16.20.10     LAN_EN1-4           0              Direct     Local

R2

admin@PA-200> show routing fib

total virtual-router shown :              1

--------------------------------------------------------------------------------

virtual-router name: Router01

interfaces:

   ethernet1/4 ethernet1/1

route table:

flags: u - up, h - host, g - gateway

maximum of fib entries for device:                 1000

number of fib entries for device:                  3

maximum of fib entries for this fib:               1000

number of fib entries for this fib:                3

number of fib entries shown:                       3

id      destination           nexthop            flags  interface          mtu

--------------------------------------------------------------------------------

81      172.16.10.0/24        172.16.20.10       ug     ethernet1/1        1500

80      172.16.20.0/24        0.0.0.0            u      ethernet1/1        1500

79      172.16.20.11/32       0.0.0.0            uh     ethernet1/1        1500

>> Then when you send a ping from client at R1 you should see this hit the R2 in its traffic logs.

I created a security rule which allows the traffic and I can see at the monitor:

>>Im thinking if the management profile only allows srcip from the same subnet as the interface is using (which could explain why a ping from R1 towards R2 works but not when client at R1 pings through R1).

It's not only the ping, the complete network traffic into the internet is not working, and therefore you don't need a management profile, and I don't get an error in the log files

>>A further debug is to setup a tcpdump on the link between R1 and R2 to verify that the icmp echo request actually do leave R1 and that the R2 responds with an icmp echo respond.

When I take pc instead of the palo alto, I get a ping reply, so I have to search the error on the palo alto.

>>You could have some blocking ACL in R1 or that the client itself at R1 doesnt have its default route set to R1 but only a static route for this subnet (172.16.10.0/24) or for that matter a local firewall on the client which prohibits the client to send or >>receive these icmp packets.

When I take pc instead of the palo alto, I get a ping reply, so I have to search the error on the palo alto.

regards

Joachim

The routing looks good and you have obviously connected R1 to the correct interface of R2 (otherwise this allowed traffic shouldnt be visible).

Regarding your security rules... do you in the bottom of this list have a rule such as:

srczone: any

dstzone: any

srcip: any

dstip: any

appid: any

service: any

options: log on session end

action: deny

If you do and still no blocked stuff shows up in traffic log I would expect some kind of layer1 fault.

Like bad cable or bad interface.

A "show interface ethernet1/1" (I dont remember if you need "hardware" in the end aswell to get the counters of if the counters is only available through "debug data-plane") would be interresting, also do the equal on R1.