10-10-2024 11:40 AM - edited 10-10-2024 11:43 AM
We have an existing GP setup and it's working, but the IP Pool is set to a range of IPs 192.168.10.10-192.168.10.100 instead of a subnet 192.168.10.0/24.
I want to either expand the range or change it to a subnet.
I tested this by expanding the range to 192.168.10.5-192.168.10.150, but clients that got an address in the newly expanded range e.g. 192.168.10.125 were having trouble with network traffic like connecting to internal DNS.
I looked at traffic logs, etc., but nothing stood out as the issue.
Are there other places in the config I need to change the range or commands I need to run?
Policies already allow by zone. Routing is already configured to use the /24 subnet.
I did see traffic being allowed, but maybe replies weren't being routed correctly back to the expanded range?
Maybe a routing table issue?
10-24-2024 08:14 AM
I found the issue. We had legacy config that included other GP Gateways and IP Pools. One of the pools had an overlapping IP range, so any client that received an IP from the new gateway in the overlapping portion of the range would still connect and get an IP, but traffic wouldn't flow. Removed the old gateway config and it's working fine now.
10-10-2024 12:41 PM
Hello,
That should be the only spot where you should have to specify the IP range It sounds like it possible you may now have a return route on an upstream device (or maybe you have multiple VRs and they dont have a route between each other for the ne network. I would next look at doing a packet catpure on the Palo to see if you are getting return traffic at all. If you are and its being dropped I would then check the global counters to see why its being dropped. How to check global counters for a specific source and destinat... - Knowledge Base - Palo Alto Netw...
10-11-2024 06:34 AM
@MikeSangray2019 wrote:
We have an existing GP setup and it's working, but the IP Pool is set to a range of IPs 192.168.10.10-192.168.10.100 instead of a subnet 192.168.10.0/24.
I want to either expand the range or change it to a subnet.
I tested this by expanding the range to 192.168.10.5-192.168.10.150, but clients that got an address in the newly expanded range e.g. 192.168.10.125 were having trouble with network traffic like connecting to internal DNS.
I looked at traffic logs, etc., but nothing stood out as the issue.
Are there other places in the config I need to change the range or commands I need to run?
Policies already allow by zone. Routing is already configured to use the /24 subnet.
I did see traffic being allowed, but maybe replies weren't being routed correctly back to the expanded range?
Maybe a routing table issue?
Sounds like it could be a routing issue. What type of routing are you doing, static or dynamic? After you changed your GP IP pool did you update your routing for the previous IP pool to include the new network space? You would potentially need to update the route in multiple areas on the firewall or even outside the FW if you're using static routing.
10-24-2024 08:14 AM
I found the issue. We had legacy config that included other GP Gateways and IP Pools. One of the pools had an overlapping IP range, so any client that received an IP from the new gateway in the overlapping portion of the range would still connect and get an IP, but traffic wouldn't flow. Removed the old gateway config and it's working fine now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
