cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PA3050 cant ping next hop and has dropped all client traffic heading outbound.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
lschs-s
L2 Linker
‎04-02-2019 07:57 PM
‎04-02-2019 07:57 PM

PA3050 cant ping next hop and has dropped all client traffic heading outbound.

I have tried a lot, and at this point I think I just must be missing something obvious that for whatever reason wont come to mind. From the PA3050 I can not ping outbound from the public IP. When I run captures, all outbound traffic is in dropped stage. There is no network functionality at all, and I am unable to find the issue.

 

Security ConfigSecurity ConfigNAT ConfigNAT Config

0 Likes
Reply

Accepted Solutions
lschs-s
L2 Linker
‎04-04-2019 11:29 AM
‎04-04-2019 11:29 AM

Thank you so much for the help, but I fixed it all! It was some issues with subnetting and a few with routing, but worked them all out. I would go in detail, but it was in no way related to nat or security.

View solution in original post

0 Likes
Reply

All Replies
Raido
L7 Applicator
‎04-03-2019 07:24 AM
‎04-03-2019 07:24 AM

Assuming that your public IP is 1.2.3.4

If you want to ping Google DNS then command would be:

> ping source 1.2.3.4 host 8.8.8.8

 

As you don't have External zone to External zone rule this traffic will match intrazone-default policy.

By default those policies don't log.

Click on intrazone-default and then override at the bottom.

Open intrazone-default policy and check "Log at Session End" on Actions tab to gain visibility.

Do the same with interzone-default.

 

Do you now see blocked sessions in Traffic log?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
0 Likes
Reply
lschs-s
L2 Linker
‎04-03-2019 11:11 AM
‎04-03-2019 11:11 AM

I am aware of how to ping, but its just not working. I enabled logging oneven more of the security policies and saw what I have seen before in the traffic tab. Connections seem to never complete and they always age out and application is left incomplete. I am unsure of where to go from here as this issue has left me quite confused. Whether it is an issue with NAT, Security, or some other rule, I need some help sorting this out.

 

Edit: Removed network's public IP and replaced it with a red square.

 

private.png

0 Likes
Reply
Raido
L7 Applicator
‎04-03-2019 11:20 AM
‎04-03-2019 11:20 AM

Last screenshot shows only sessions from internet towards your public IP.

No log of you initiating sessions from inside to internet or ping from firewall public ip to internet.

 

Also none of those incoming sessions match to your NAT policies.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
0 Likes
Reply
lschs-s
L2 Linker
‎04-03-2019 11:26 AM
‎04-03-2019 11:26 AM

They dont match mine, but they match intrazone which should let them through, right? Or due to intrazone being intra would it block it from finishing session with the external host? Also sorry, but the results are the same internally as well.

 

Screen Shot 2019-04-03 at 2.24.52 PM.png

0 Likes
Reply
Raido
L7 Applicator
‎04-03-2019 11:34 AM
‎04-03-2019 11:34 AM

Can you add "packets sent" and "packets received" columns to the view?

Ping and DNS can be identified from first packet that is sent to client to server so from screenshot it is unclear if you receive any traffic back.

Also add "NAT Source IP" and verify if SNAT is applied to outgoing traffic and that you see your public IP in this column.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
0 Likes
Reply
lschs-s
L2 Linker
‎04-03-2019 11:49 AM
‎04-03-2019 11:49 AM

Src Internal

Screen Shot 2019-04-03 at 3.32.37 PM.png

Src External

 

Screen Shot 2019-04-03 at 2.47.54 PM.png

0 Likes
Reply
Raido
L7 Applicator
‎04-03-2019 01:06 PM
‎04-03-2019 01:06 PM

Weird. SNAT is applied.

 

Edit: Do you have correct Next Hop IP in virtual router? Can you ping next hop from fw external IP?

 

Can you click on magnifying glass or add egress interface column to verify that traffic is sent towards correct interface?

Under Network > Zones check how if only one outside interface is in External-Zone zone.

 

In cli add filter:

> debug dataplane packet-diag set filter off
> debug dataplane packet-diag clear filter all

> debug dataplane packet-diag set filter match source 8.8.8.8

> debug dataplane packet-diag set filter match destination 8.8.8.8

 

Run following command few times and check if severity is drop anywhere.

It will show what happened to traffic to and from 8.8.8.8 between periods you ran the command (filter delta yes)

> show counter global filter delta yes packet-filter yes

 

Clean up filter

> debug dataplane packet-diag set filter off
> debug dataplane packet-diag clear filter all

 

Last step would be to go with flow basic

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS9CAK

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
0 Likes
Reply
lschs-s
L2 Linker
‎04-03-2019 01:34 PM
‎04-03-2019 01:34 PM

Ill hold off on the CLI commands just so I can confirm with you, next hop is not reachable from the palo alto even when running "ping source <pub ip on extern zone> host <next hop ip>"

0 Likes
Reply
Raido
L7 Applicator
‎04-03-2019 01:37 PM
‎04-03-2019 01:37 PM

> ping source <external ip> host <next hop>

> show arp ethernet1/1 (assuming 1/1 is your external interface).

 

Next hop might have ping disabled but IP to mac resolution should still work.

If mac is not there then ask what is correct next hop from your ISP.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks