Firewall Unable to connect to ISP Router

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Firewall Unable to connect to ISP Router

L2 Linker

I m setting up a small office network where the endpoints are connecting to a switch that is in turn trunked to a PA220 Firewall . The firewall external interface is configured with a static IP address within the same range as the ISP IP router .

However it appears that neither the ISP router or the Palo can receive arp entries off each other let alone ping each other

The ISP provider has also confirmed the internet connectivity is working fine .

Can anyone  please advise ?

 

Thanks 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @HassanThiam ,

 

I am glad the Internet is working now.  If my answer helped you get the ping working, please accept it as the solution.

 

With regard to the VPN, we would be glad to help on this thread, but technically it is a different topic.

 

A good place to start with IPsec is the green lights under Network > IPSec Tunnels, and Monitor > Logs > System.  As @Raido_Rattameister mentioned, NO_PROPOSAL_CHOSEN means the crypto settings do not match and the tunnel is not up.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

9 REPLIES 9

Cyber Elite
Cyber Elite

If you configure same public IP and gateway on your laptop and connect ISP cable directly to laptop can you get to internet or see arp from ISP?

If yes we can help you troubleshoot Palo.

If not then ISP needs to check their config.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi 

 

Thanks for the feedback .  Unfortunately at the time, I was unable to configure  my laptop IP address and Gateway because of admin restrictions ( working to get elevated privileges at the moment ) . The ISP sent an engineer onsite to check internet reachability  and he confirmed connectivity to the ISP default gateway by plugging a device directly into the router .What are the sort of config that could prevent the firewall from seeing the router ? 

 

Thanks 

 

Cyber Elite
Cyber Elite

ISP provides connectivity over access port right (not tagged/trunk port)?

Ask ISP if speed/duplex is set to auto/auto or if they have hardcoded those settings.

If second option you need to match your side.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi 

 

I will enquire with the ISP about the speed/duplex settings , I would have thought they will be set to auto 

Yes the connectivity is provided through an access port  . As per the attached topology the firewall connect to an Onsite router that only function in bridge mode with so  layer 3 communication is between the firewall and the aggregate router .

The ISP engineer  that  visited the site confirmed the Internet was working by plugging a portable device into the Onsite router ( LAN 1) and could get to the ISP Aggregate  Router using IP addresses within the same range .

Let me know if you have any further suggestions 2023-01-17 17_43_57-WAN - diagrams.net.png


Thanks in advance 

 

 

 

Good Morning ,

 

I can now confirm I have Internet connectivity but I have set up a VPN with an ASA that s not coming up . The outside interface of the Palo is up and can ping the ASA outside interface .

 

Any advice will be greatly appreciated 

 

Thanks

Cyber Elite
Cyber Elite

Hi @HassanThiam ,

 

  1. Do you have an interface profile applied to your interface connected to the ISP that allows pings?
    1. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMmCAK
    2. Otherwise pings will not be allowed, and an ARP request will not be sent.
  2. Do you source your pings from the IP applied to the interface connected to the ISP?
    1. https://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-how-to-ping-from-the-cli/ba-p/468784
    2. Otherwise the pings will be sourced from the management IP address.
    3. Again, no ARP request will be sent out the ISP interface.
  3. Do you see the pings in the traffic logs (Monitor > Logs > Traffic)?
    1. Pings from an interface will be allowed by the intrazone-default rule.
    2. Logging will need to be enabled on the rule.  https://docs.paloaltonetworks.com/best-practices/9-1/data-center-best-practices/data-center-best-pra...
    3. You can also enable logging on the interzone-default rule.  Then you should see all IP traffic through the data plane, allowed or dropped.
    4. Logs confirm the NGFW is attempting to send pings.
  4. Have you verified the NGFW is not receiving ARP by using the "show arp" command on the CLI?
    1. You should see a MAC address (received) or incomplete (not received).
    2. The incomplete times out fairly quickly.  The command needs to be run as soon as the ping is done.

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom 

 

Thanks for the feedback .

  1. Do you have an interface profile applied to your interface connected to the ISP that allows pings?
    1. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMmCAK
    2. Otherwise pings will not be allowed, and an ARP request will not be sent.
    3. Yes I do have an interface management profile that accept pings 
  2. Do you source your pings from the IP applied to the interface connected to the ISP?
    1. https://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-how-to-ping-from-the-cli/ba-p/468784
    2. Otherwise the pings will be sourced from the management IP address.
    3. Again, no ARP request will be sent out the ISP interface.
    4. When I source it from the Management interface it doesn't work but works from the NGFW outside interface 
  3. Do you see the pings in the traffic logs (Monitor > Logs > Traffic)?
    1. Pings from an interface will be allowed by the intrazone-default rule.
    2. Logging will need to be enabled on the rule.  https://docs.paloaltonetworks.com/best-practices/9-1/data-center-best-practices/data-center-best-pra...
    3. You can also enable logging on the interzone-default rule.  Then you should see all IP traffic through the data plane, allowed or dropped.
    4. Logs confirm the NGFW is attempting to send pings.
    5. Yes I can see the pings from the traffic logs 
  4. Have you verified the NGFW is not receiving ARP by using the "show arp" command on the CLI?
    1. You should see a MAC address (received) or incomplete (not received).
    2. The incomplete times out fairly quickly.  The command needs to be run as soon as the ping is done.
    3. To be confirmed

As per the topology I can t get the tunnel to the ASA working although the IKE parameters seem to match . The outside interface of the Palo can ping the ASA though . From an  ASA perspective I can t see nothing on the logs  . 

This s the message I get from the NGFW .

 

HassanThiam_0-1674207833875.png

 

Any help will be greatly appreciated 

 

Thanks 

 

 

Cyber Elite
Cyber Elite

Crypto settings don't match.

Do you manage ASA side as well to check config?

"show vpn-sessiondb detailed l2l" is helpful to use on ASA side.

If you can't get this info then next step is to turn Palo side to passive mode and figure out what ASA is negotiating with using packet capture.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Hi @HassanThiam ,

 

I am glad the Internet is working now.  If my answer helped you get the ping working, please accept it as the solution.

 

With regard to the VPN, we would be glad to help on this thread, but technically it is a different topic.

 

A good place to start with IPsec is the green lights under Network > IPSec Tunnels, and Monitor > Logs > System.  As @Raido_Rattameister mentioned, NO_PROPOSAL_CHOSEN means the crypto settings do not match and the tunnel is not up.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 5799 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!