PA3050 cant ping next hop and has dropped all client traffic heading outbound.

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Also, yes, egress is correct.

Tags (3)
Highlighted
L2 Linker

Ping is not disabled, and ARP is incomplete on resolving. I recall seeing in either recieve or drop packet captures, ARP packets defining what the next hop's MAC was. Also another thing to note is my interface is a eth channel, but this issue was happening before as well.

Highlighted
L7 Applicator

If you disconnect Palo, connect cable to laptop, configure same IP and default gw IP to laptop can you ping next hop and get connectivity to internet?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L7 Applicator

So you have more than 1 cable to ISP and you have configured aggregated interface?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L2 Linker

In regards to the dual link, in simplest terms, yes. However, in reality we own a /28 range and have a central router for just this range. From that router we have 2 links to a firewall plugged in for production networks, and another 2 links to the palo alto. Both of these firewalls have different public IPs.

 

As for the laptop, I will try that tommorow as currently I am out of the office. I have remote access to test other ideas, but as for physcial changes, I can not work on those now.

Highlighted
L7 Applicator

Have you enabled LACP on ae.x interface in Palo?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L2 Linker

Yes and on both routers both links are active and LACP established the bond. Like I said, the issue was happening before the AE, so I doubt it has any influence on my issues here.

Highlighted
L2 Linker

Did the test as you recomended, disabled LACP and did a direct L3 on the Palo Alto to my laptop. No client packets or pings from source 67.107.166.142 made it outbound. Its like the firewall isnt routing or has some setting blocking it from talking.

Highlighted
L7 Applicator

debug dataplane packet-diag set filter off
debug dataplane packet-diag clear filter all

debug dataplane packet-diag set filter match source 67.107.166.142
debug dataplane packet-diag set filter match destination 67.107.166.142

debug dataplane packet-diag set filter on

show counter global filter delta yes packet-filter yes

ping source 67.107.166.142 host <ip of your laptop>

show counter global filter delta yes packet-filter yes

 

Now post here output of the last show counter global result.

 

And then to clean up:

debug dataplane packet-diag set filter off
debug dataplane packet-diag clear filter all

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L2 Linker

Thank you so much for the help, but I fixed it all! It was some issues with subnetting and a few with routing, but worked them all out. I would go in detail, but it was in no way related to nat or security.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!