07-11-2020 06:32 PM
I am at a complete loss as to what I am seeing. I have PA-3250's running 9.1.2 code in L3 mode. The interfaces are split up into 2 aggregated ethernet interfaces, each using subinterfaces (ae1.706, ae1.707, ae2.699, ae2.698, etc.) When looking at traffic logs I see my interfaces assigned to ae1.706 and ae1.707 sourcing traffic from my trust zone when they are in an untrust zone. A pcap confirms that the traffic is indeed being sourced and it is coming in on ae2.699! How in the world does this work? I am losing my mind.
07-12-2020 06:21 AM
Was this working prior to the upgrade to 9.1.2 as expected, or is this something that you are just trying to configure now?
Just to verify exactly what you are talking about; in your traffic logs you are currently seeing traffic with an ingress interface of your ae2.699 interface when you should be seeing the ingress interface of ae1.706 and ae1.707? Is that correct?
Since the traffic is actually coming in on a completely different AE and a completely separate group of interfaces, I would want to take a PCAP on the switch side of things and verify that the switch is routing the traffic as it should. The firewall will accept any traffic that comes in on a zones assigned interfaces (one of the reasons we say never use 'any' in source/destination address) and accept and route the traffic according to your rulebase and routing statements. It really seems like something upstream is causing this issue if we're seeing the traffic ingress on an improper interface when you do the PCAP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
