08-24-2021 07:20 AM
We are running NMS.
However, the operation method does not work internally and goes out to the VPN public IP.
trust -> untrust -> isp(internet outside) -> VPN untrust
Communication is done in the same way as above. In NMS, the status of VPN untrust is monitored by ICMP.
However, after 30 minutes, the VPN untrust interface suddenly stops pinging.
The workaround is to send a ping command to VPN untrust -> VPN ISP using source ip, then NMS can send ping normally again.
I don't know why the ping keeps dropping every 30 minutes.
We are experiencing a VPN stoppage every 30 minutes.
08-24-2021 08:30 AM
If I understand the question (from my perspective) It sounds to me that the the ARP entry for the MAC address of the ISP is being removed from the FW (this is OK and common.. .all devices have an ARP timeout setting). My next question will be.. why does your ISP not provide its mac address? When you need to ping with the SrcIP, you are updating the FW's arp table again, to associate the L3 address to its L2 mac address.
Consider that I ask for your home address, and you do not give it to me.. why would that be my issue?
Even though we talk about IP networks, please remember there is an OSI model, so L3 address go down the "stack" on an interface, and send L2 mac address to other device... I think there is an issue, but not with the FW. If the ISP does not provide its mac address, why would this be a FW issue?
Now, you may need to modify your interface to add in a static mac address entry for your ISP.
Again, this is all how I have understood/perceived your issue. If it is something else, or you can provide additional details, please advise.
08-30-2021 05:52 PM
As you said, after a long time, I checked with show arp all in Palo Alto.
The arp table was gone. I don't understand.
The green LED is still on in the interface part.
why? Why can't arp be updated?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!