ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that router

Reply
Highlighted
L1 Bithead

ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that router

Any help is appreciated...

 

I have a PA interface connected to a router using a /31.  I have static routes with that router as the next hop.  From the firewall interface on the /31 interconnect, I can reach all of the destinations I have static routes for.  I can't, however reach the router's IP on the directly connected /31.  When I try to ping from the PA sourcing its /32 interconnect address, it gives me:

 

ping: sendmsg: Permission denied

 

If I ping from the router to the PA from one end of the /31 to the other, I see the incoming ping in the capture, but the PA doesn't reply (capturing receive, transmit, and firewall).

 

If I ping the PA /31 interface sourcing something beyond the /31 interconnect, I get replies.  If I ping from the PA to anything beyond the /31 interconnect, it is successful.

 

When I run "test routing", I see that the connected route is what is installed in the FIB table for the neighbor's IP.

 

result:           interface ethernet1/22

 

I have no NAT or security policy yet configured, so the policy being hit is the default intrazone allow any.  I can see that in the traffic logs and it shows as allowed.

 

My interface management profile also allows ping (and other protocols) - but that is evidenced by the fact that I can ping and SSH to the interface from hosts beyond the /31 interconnect.

 

I know that /31's work fine because I'm using them on other interfaces and have no issue.

 

The ARP table is also correctly populated on both ends of the connection.

 

Please help.  Thanks!

 

Highlighted
L1 Bithead

Re: ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that ro

Weird - switched the interconnect to a /30 and it works now.

 

This is an L3 interface.  I have /31's working fine on tunnel.x interfaces.

 

This is the second inconsistent and/or buggy behavior I've found today.

 

 

Highlighted
Community Team Member

Re: ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that ro

Using /31 was a discussion a while ago :

 

 

Using 31-Bit Prefixes on IPv4 Point-to-Point Links

 

/31 is not supported and a feature request was created.  As far as I can see this was not yet introduced.

Please reach out to your local SE so he can add more weight to this request.

 

Hope this helps,

-Kim.

Highlighted
L0 Member

Re: ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that ro

Apparently this feature is implemented but with a twist. As per https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/layer-3-in... you can set /31 subnet now but 

if you have a subnet e.g 192.168.1.34/31 you have to give the higher address i.e 192.168.1.35 to PAN  and 192.168.1.34 to 

the directly connected device otherwise ping doesn't work.

Documentation is so vague about this detail.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!