03-12-2017 01:40 AM - edited 03-13-2017 12:44 AM
Hello All,
My system is multi vsys environment, I need to route traffic from untrust to trust.
My source is internet and destination is my second Public IP subnet in trust interface.
I investigate and found log from Global Counters "Packets dropped: invalid interface".
I try to add public ip to loopback and secondary ip but could not help.
How can I solve this problem?
Thanks.
03-13-2017 12:46 AM
My environment like this. I need to route traffic to my public IP via Palo.
03-13-2017 12:55 AM
I'm afraid i would need much more details to debug this (routing, interface configurations..)
But I suspect it's topology issue.
03-13-2017 01:11 AM
Routing is correct. I can ping from Palo to public IP at HQ. (routing fib is correct)
When ping from internet packet drop by palo as follow counter log.
03-13-2017 01:52 AM
I have to agree with @santonic, we'll need much more information to dissect this issue 🙂
why is your public IP range on the trust interface?
for your multi vsys envirnment, did you create 2 vsys specific vritual routers or are you floating one VR outside the vsys (no vsys assigned to it)
The invalid interface error could be caused by your VR trying to forward the incoming packet to an interface that's outside the receiving vsys
flow_rcv_dot1q_tag_err usually means you are receiving 802.1q tagged packets on a non-tagged interface (or a tag that is not configured on one of the subinterfaces), you might want to look into that also
04-01-2017 08:41 AM
Since you have multiple vsys and a path to the main office via both the internet and what looks like an internal link. I think you are likely dealing with some asymmetrical routing. Firewalls do not like asymmetrical routing and drop the packet.
To confirm this perform this test:
Run a trace route from the device at the trust interface to the public ip address at the home office in question.
Run a second trace route from the device on the public ip address at the home office back to your trust device (nat address if this is nat or the public address if it is public)
Compare the path on both and verify they go the same way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
