Internet Outage Occurs After Migration - All Packets Aging-out

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Internet Outage Occurs After Migration - All Packets Aging-out

L1 Bithead

Hi,

 

I am working on a Palo Alto Networks Firewall migration project. I exported and imported the configuration with a few errors that I fixed and when migrating from the old to the new PA-3220 firewalls. All internal communications wtih LDAP and other servers are working and the routing protocols are coming up internally and externally. I can also ping the default gateway of ISP from the outside interface of the new Firewall, but the internet is totally down. I checked the traffic under monitor and found that all the packets are aging-out although they are all allowed.

 

I do have default gateway setup and a default route towards the gateway, I checked the arp and routing table looks fine. What is the issue? anybody please?

1 accepted solution

Accepted Solutions

Hi All,

It was nothing but ARP cache from the Service Provider side, There was another switch between the Palo Alto Networks Firewall and ISP router. The ARP cache that i was getting on the firewall was from the switch not from the actual ISP router. The issue immediately got fixed upon ARP cache clear.

View solution in original post

10 REPLIES 10

L4 Transporter

Did you check your Source NAT policy to make sure that the packets are getting the correct Public IP Address before hitting the Internet?

Yes! Security Policy and NAT rules are working according to the monitor tab. I see packet send but 0 on the packets received.

Hello,

Hopefully you have this corrected already. However unplug the external interface for a few minutes to see if the ISP can clear their ARP. Or just call them and see if they see traffic and it they can clear the arp tables.

 

Regards,

I did [show arp all] and found the ISP router gateway ip address has a proper arp cache. I also did a traceroute, but found a couple of hopes after the gateway is not being properly resolved, instead of IP address there was *** which indicates arp cache issue at that nodes. It is still not solved, i am following that closely.

Cyber Elite
Cyber Elite

@PAN-Bariz2020Check under Source NAT rule if translation type is selected as Dynamic IP And Port but not Dynamic IP only. This will create issue if other option is selected.

 

Mayur

M

Dynamic IP And Port is selection, some of them also have bi-directional option checked.

@PAN-Bariz2020 

 

1>Did  you check the traffic logs that traffic is getting natted to public IP address ?

2>You do not need bi directional option checked if you are only allowing users to access the Internet using Outside Interface IP.

3>Also check which rule it hits when you can successfully ping and compare it with non working security rule.

4>Use the test nat command

 

test nat-policy-match protocol 6 from L3-Trust to L3-Untrust source ip  destination ip  destination-port 443

 

Regards

 

MP

Help the community: Like helpful comments and mark solutions.

Thank You.

 

I had performed those steps on the first failure and did not found any issue. I believe there might be a VRF issue from the ISP site. I will be able to get back on this next week.

@PAN-Bariz2020 

 

Thanks for the update.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

Hi All,

It was nothing but ARP cache from the Service Provider side, There was another switch between the Palo Alto Networks Firewall and ISP router. The ARP cache that i was getting on the firewall was from the switch not from the actual ISP router. The issue immediately got fixed upon ARP cache clear.

  • 1 accepted solution
  • 6927 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!