PA3050 cant ping next hop and has dropped all client traffic heading outbound.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA3050 cant ping next hop and has dropped all client traffic heading outbound.

L2 Linker

I have tried a lot, and at this point I think I just must be missing something obvious that for whatever reason wont come to mind. From the PA3050 I can not ping outbound from the public IP. When I run captures, all outbound traffic is in dropped stage. There is no network functionality at all, and I am unable to find the issue.

 

Security ConfigSecurity ConfigNAT ConfigNAT Config

1 accepted solution

Accepted Solutions

Thank you so much for the help, but I fixed it all! It was some issues with subnetting and a few with routing, but worked them all out. I would go in detail, but it was in no way related to nat or security.

View solution in original post

19 REPLIES 19

Cyber Elite
Cyber Elite

Assuming that your public IP is 1.2.3.4

If you want to ping Google DNS then command would be:

> ping source 1.2.3.4 host 8.8.8.8

 

As you don't have External zone to External zone rule this traffic will match intrazone-default policy.

By default those policies don't log.

Click on intrazone-default and then override at the bottom.

Open intrazone-default policy and check "Log at Session End" on Actions tab to gain visibility.

Do the same with interzone-default.

 

Do you now see blocked sessions in Traffic log?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I am aware of how to ping, but its just not working. I enabled logging oneven more of the security policies and saw what I have seen before in the traffic tab. Connections seem to never complete and they always age out and application is left incomplete. I am unsure of where to go from here as this issue has left me quite confused. Whether it is an issue with NAT, Security, or some other rule, I need some help sorting this out.

 

Edit: Removed network's public IP and replaced it with a red square.

 

private.png

Last screenshot shows only sessions from internet towards your public IP.

No log of you initiating sessions from inside to internet or ping from firewall public ip to internet.

 

Also none of those incoming sessions match to your NAT policies.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

They dont match mine, but they match intrazone which should let them through, right? Or due to intrazone being intra would it block it from finishing session with the external host? Also sorry, but the results are the same internally as well.

 

Screen Shot 2019-04-03 at 2.24.52 PM.png

Can you add "packets sent" and "packets received" columns to the view?

Ping and DNS can be identified from first packet that is sent to client to server so from screenshot it is unclear if you receive any traffic back.

Also add "NAT Source IP" and verify if SNAT is applied to outgoing traffic and that you see your public IP in this column.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Src Internal

Screen Shot 2019-04-03 at 3.32.37 PM.png

Src External

 

Screen Shot 2019-04-03 at 2.47.54 PM.png

Weird. SNAT is applied.

 

Edit: Do you have correct Next Hop IP in virtual router? Can you ping next hop from fw external IP?

 

Can you click on magnifying glass or add egress interface column to verify that traffic is sent towards correct interface?

Under Network > Zones check how if only one outside interface is in External-Zone zone.

 

In cli add filter:

> debug dataplane packet-diag set filter off
> debug dataplane packet-diag clear filter all

> debug dataplane packet-diag set filter match source 8.8.8.8

> debug dataplane packet-diag set filter match destination 8.8.8.8

 

Run following command few times and check if severity is drop anywhere.

It will show what happened to traffic to and from 8.8.8.8 between periods you ran the command (filter delta yes)

> show counter global filter delta yes packet-filter yes

 

Clean up filter

> debug dataplane packet-diag set filter off
> debug dataplane packet-diag clear filter all

 

Last step would be to go with flow basic

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS9CAK

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Ill hold off on the CLI commands just so I can confirm with you, next hop is not reachable from the palo alto even when running "ping source <pub ip on extern zone> host <next hop ip>"

> ping source <external ip> host <next hop>

> show arp ethernet1/1 (assuming 1/1 is your external interface).

 

Next hop might have ping disabled but IP to mac resolution should still work.

If mac is not there then ask what is correct next hop from your ISP.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Also, yes, egress is correct.

Ping is not disabled, and ARP is incomplete on resolving. I recall seeing in either recieve or drop packet captures, ARP packets defining what the next hop's MAC was. Also another thing to note is my interface is a eth channel, but this issue was happening before as well.

If you disconnect Palo, connect cable to laptop, configure same IP and default gw IP to laptop can you ping next hop and get connectivity to internet?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

So you have more than 1 cable to ISP and you have configured aggregated interface?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

In regards to the dual link, in simplest terms, yes. However, in reality we own a /28 range and have a central router for just this range. From that router we have 2 links to a firewall plugged in for production networks, and another 2 links to the palo alto. Both of these firewalls have different public IPs.

 

As for the laptop, I will try that tommorow as currently I am out of the office. I have remote access to test other ideas, but as for physcial changes, I can not work on those now.

  • 1 accepted solution
  • 10674 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!