Palo alto static routing issue

Reply
Highlighted
L3 Networker

Re: Palo alto static routing issue

What version of PAN-OS are you running?   Did you verify that all of the routes are actually showing up in the fib on Palo Alto firewall (you may have to disable PBR to see this)?  Is interface monitoring enabled?

 

- Matt

Highlighted
L4 Transporter

Re: Palo alto static routing issue

PanOS is: 6.1.14

 

This is the routing table.

 

FW is always taking the route 10.0.0.0./8, although we have several /24.....

 

web1.JPG

Highlighted
L7 Applicator

Re: Palo alto static routing issue

are you sure 10.50.250.1 is a valid interface.

 

if not then your /24 routes will depreciate and /8 will be used.

Highlighted
L4 Transporter

Re: Palo alto static routing issue

Yes it is. The previous capture was done in "more runtime stats". So the route is being applied in current routing table.
Highlighted
L7 Applicator

Re: Palo alto static routing issue

can you double check if the 10.50.250.0 subnet shows up in the routing table as 'connected' (and a /32 as 'Host') , this is necessary for it to be useable as nexthop for other routes

 

 

reaper@myNGFW> show routing route 

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, 
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast

  
VIRTUAL ROUTER: vr_internet (id 1)
  ==========
destination            nexthop            metric flags age   interface     next-AS    
0.0.0.0/0              198.51.100.1       10     A S         ethernet1/1                   
198.51.100.0/24        198.51.100.241     0      A C         ethernet1/1                   
198.51.100.241/32      0.0.0.0            0      A H                                            

 

reaper - PANgurus.com
I drink and I know things
Highlighted
L4 Transporter

Re: Palo alto static routing issue

Hi,

 

This is routing table:

 

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2

 
VIRTUAL ROUTER: Router Virtual (id 2)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-
AS          
     
10.0.0.0/8                                  10.50.50.4                              10     A S              ethernet1/5            
     
10.47.1.0/29                                10.50.250.1                             1      A S              ethernet1/1            
     
10.47.2.0/29                                10.50.250.1                             1      A S              ethernet1/1            
     
10.47.3.0/29                                10.50.250.1                             1      A S              ethernet1/1            
     
10.47.4.0/26                                10.50.250.1                             1      A S              ethernet1/1            
     
10.47.6.0/24                                10.50.250.1                             1      A S              ethernet1/1            
     
10.50.1.0/24                                10.50.250.1                             1      A S              ethernet1/1            
     
10.50.1.0/26                                10.50.1.1                               0      A C              ethernet1/2            
     
10.50.1.1/32                                0.0.0.0                                 0      A H                                      
     
10.50.2.0/24                                10.50.2.1                               0      A C              ethernet1/3            
     
10.50.2.0/24                                10.50.250.1                             1        S              ethernet1/1            
     
10.50.2.1/32                                0.0.0.0                                 0      A H                                      
     
10.50.50.5/32                               0.0.0.0                                 0      A H                                      
     
10.50.250.0/29                              10.50.250.2                             0      A C              ethernet1/1            
     
10.50.250.2/32                              0.0.0.0                                 0      A H                                      
     

Highlighted
L3 Networker

Re: Palo alto static routing issue

Is this a dump of show routing fib ?  It looks a bit different on my 8.x device?    Any chance you have policy based routing configured?

 

- Matt

Highlighted
L4 Transporter

Re: Palo alto static routing issue

PanOS version is 6.1.x.

The previous command was "show routing route"

 

The issue was solved configuring PBR in orfer to force the correct interface. That was done because routes werent working (even with more metric and restrict mask).

Highlighted
L7 Applicator

Re: Palo alto static routing issue

Hello,

The PAN has two routing tables, one for the routes and another for forwarding. The forwarding will be the one that the PAN uses to send the packets. As @mlinsemier pointed out, check out the FIB table as well.

 

Regards,

Highlighted
L4 Transporter

Re: Palo alto static routing issue

265     10.0.0.0/8            10.50.50.4         ug     ethernet1/5        1500
289     10.47.6.0/24          10.50.250.1        ug     ethernet1/1        1500
279     10.47.1.0/29          10.50.250.1        ug     ethernet1/1        1500
280     10.47.2.0/29          10.50.250.1        ug     ethernet1/1        1500
281     10.47.3.0/29          10.50.250.1        ug     ethernet1/1        1500
282     10.47.4.0/26          10.50.250.1        ug     ethernet1/1        1500
283     10.50.1.0/24          10.50.250.1        ug     ethernet1/1        1500
284     10.50.2.0/24          0.0.0.0            u      ethernet1/3        1500
232     10.50.1.0/26          0.0.0.0            u      ethernet1/2        1500
231     10.50.1.1/32          0.0.0.0            uh     ethernet1/2        1500
234     10.50.2.1/32          0.0.0.0            uh     ethernet1/3        1500
261     10.50.50.5/32         0.0.0.0            uh     ethernet1/5        1500
218     10.50.250.0/29        0.0.0.0            u      ethernet1/1        1500
217     10.50.250.2/32        0.0.0.0            uh     ethernet1/1        1500
285     10.128.0.0/16         10.50.250.1        ug     ethernet1/1        1500

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!