Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-19-2021 09:55 AM
Hi Team,
We are facing issue with OSPF is not working properly over the firewall as per the configuration part seems fine we checked with the below given document.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5ZCAS
All the configuration for HA is configured as per above given document.
We checked with the configuration of OSPF as per below document which is fine.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEECA0
We checked with ping status from firewall but the packet is not reaching the neighbor device also not able to see the same over monitor tab.
But on the other hand from Peer device we are able to see ping happening to the core device which is the neighbor
Also we cannot find neighbor details over the OSPF tab. There is no LACP configured on any aggregate interface.
Provide your output on the earliest to sort this out.
08-19-2021 08:17 PM
You are not getting ping responses and the neighbor is not up. These are the root issues. You should see the traffic, permit or deny, in the Monitor tab. This traffic should be allowed by the intrazone-default rule. Have you configured that rule to log at session end?
08-20-2021 01:35 AM
Yes we have enabled log at session end. But from one device we are able to see the ping happening from on PA device which is a active one.
Later while pining the neighbor with passive by making the passive to active then we are not able to find any ping or deny rule over monitor logs
08-20-2021 01:36 AM
Neighbor is up and pingable with one PA device but not using another PA device
08-20-2021 11:05 AM
Hello,
So your HA is Active/Passive? If yes then the passive device will never establish an adjacency. This is because the passive device has its interfaces in a down state.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIbCAK
Regards,
08-21-2021 06:11 AM
Excellent point. It also makes sense that you cannot source a ping from the data interfaces on the standby since the IP addresses are active on the active. So, the standby never sends out a ping which is why it is not logged.
08-22-2021 11:29 PM
Yes that i agree. When i change the passive to active and the active to passive. The current active device is not getting the OSPF neighbor device details.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
