This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA3050 cant ping next hop and has dropped all client traffic heading outbound.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA3050 cant ping next hop and has dropped all client traffic heading outbound.

Go to solution
lschs-s
L2 Linker

‎04-02-2019 07:57 PM

I have tried a lot, and at this point I think I just must be missing something obvious that for whatever reason wont come to mind. From the PA3050 I can not ping outbound from the public IP. When I run captures, all outbound traffic is in dropped stage. There is no network functionality at all, and I am unable to find the issue.

 

Security ConfigSecurity ConfigNAT ConfigNAT Config

0 Likes Likes
19 REPLIES 19

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to lschs-s

‎04-03-2019 03:24 PM

Have you enabled LACP on ae.x interface in Palo?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
lschs-s
L2 Linker
In response to Raido_Rattameister

‎04-03-2019 04:07 PM

Yes and on both routers both links are active and LACP established the bond. Like I said, the issue was happening before the AE, so I doubt it has any influence on my issues here.

0 Likes Likes

Go to solution
lschs-s
L2 Linker
In response to Raido_Rattameister

‎04-04-2019 08:14 AM

Did the test as you recomended, disabled LACP and did a direct L3 on the Palo Alto to my laptop. No client packets or pings from source 67.107.166.142 made it outbound. Its like the firewall isnt routing or has some setting blocking it from talking.

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to lschs-s

‎04-04-2019 09:06 AM

debug dataplane packet-diag set filter off
debug dataplane packet-diag clear filter all

debug dataplane packet-diag set filter match source 67.107.166.142
debug dataplane packet-diag set filter match destination 67.107.166.142

debug dataplane packet-diag set filter on

show counter global filter delta yes packet-filter yes

ping source 67.107.166.142 host <ip of your laptop>

show counter global filter delta yes packet-filter yes

 

Now post here output of the last show counter global result.

 

And then to clean up:

debug dataplane packet-diag set filter off
debug dataplane packet-diag clear filter all

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
lschs-s
L2 Linker
In response to Raido_Rattameister

‎04-04-2019 11:29 AM

Thank you so much for the help, but I fixed it all! It was some issues with subnetting and a few with routing, but worked them all out. I would go in detail, but it was in no way related to nat or security.

1 person found this solution to be helpful.
0 Likes Likes
  • 10832 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks