Palo alto static routing issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo alto static routing issue

L4 Transporter

Hi,

 

We are configuring a new routing scenario but we are expecting problem taking the correct route.

 

This is our static route table:

 

destination     interface       gateway        metric 

10.50.1.0/24    eth1/1     10.50.250.1      1

10.50.2.0/24      eth1/1     10.50.250.1    1

10.0.0.0/8      eth1/5       10.50.50.4       10

 

If we run a "test routing fib.....", we can see all traffic going to 10.0.0.0/8 route. Although we have two /24 routes.

 

If we run a session to ip 10.50.2.10 (second route). The firewall is sending the traffic to gateway 10.50.50.4. Why???

We have two routes more restrictive and with more metric in order to take preference but its not working.

 

I undertand that the static routers election is:

1) Metric (less metric. more preference)

2) Restrictive route. Mask /8 is less preference than /24.

 

Why FW is taking the route /8??? We have had to create PBR in order to solve it.

 

 

 

 

19 REPLIES 19

L7 Applicator

I don't understand your setup

 

what is the ip interfaces of eth/1 and eth/5, including masks.

Its quite simple.

 

We have a 10.0.0.0/8 route going to eth5 interface. But we want that several /24 networks take another different interface.

To my undertand i thought that metric or restrictive route will take preference over /8 route.

 

yes it does. /24 beats /8, regardless of metric.

 

but only if the route is valid.

 

please post the ip interfaces of eth1/1 and eth1/5.     this may show that your route is invalid,

Eth1/1 FW IP is 10.50.250.2

Eth1/5 FW IP is 10.50.50.5

 

I dont think this is related to IP interface.

Cyber Elite
Cyber Elite

This should work as expected, can you share the rest of your config (interface ip's and full routing table, possibly the output of show routing route etc) so we can have a better view of what could be going on?

 

your assumption is conrrect theat the smaller subnet should get preference over the supernet, but maybe we're missing something in the bigger picture

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

network map.JPG

 

This is the scenario. We have the routes to avoid asymmetric routing.

Its weird that evrything is taking the /8 route.

what is the subnet mask of 10.50.50.5

/28. we have HSRP in 4500 device

Hmmm... weird..

 

just as a test... if you add the following static route..

 

destination     interface       gateway        metric 

172.21.50.0/24    eth1/1     10.50.250.1      1

 

 

and trace route to 172.21.50.1, where does that go...  250.1 or 50.4 ?

 

 

 

L4 Transporter

What version of PAN-OS are you running?   Did you verify that all of the routes are actually showing up in the fib on Palo Alto firewall (you may have to disable PBR to see this)?  Is interface monitoring enabled?

 

- Matt

PanOS is: 6.1.14

 

This is the routing table.

 

FW is always taking the route 10.0.0.0./8, although we have several /24.....

 

web1.JPG

are you sure 10.50.250.1 is a valid interface.

 

if not then your /24 routes will depreciate and /8 will be used.

Yes it is. The previous capture was done in "more runtime stats". So the route is being applied in current routing table.

can you double check if the 10.50.250.0 subnet shows up in the routing table as 'connected' (and a /32 as 'Host') , this is necessary for it to be useable as nexthop for other routes

 

 

reaper@myNGFW> show routing route 

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, 
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast

  
VIRTUAL ROUTER: vr_internet (id 1)
  ==========
destination            nexthop            metric flags age   interface     next-AS    
0.0.0.0/0              198.51.100.1       10     A S         ethernet1/1                   
198.51.100.0/24        198.51.100.241     0      A C         ethernet1/1                   
198.51.100.241/32      0.0.0.0            0      A H                                            

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 5061 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!