ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that router

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ping: sendmsg: Permission denied to connected router - but can reach destinations beyond that router

L0 Member

Any help is appreciated...

 

I have a PA interface connected to a router using a /31.  I have static routes with that router as the next hop.  From the firewall interface on the /31 interconnect, I can reach all of the destinations I have static routes for.  I can't, however reach the router's IP on the directly connected /31.  When I try to ping from the PA sourcing its /32 interconnect address, it gives me:

 

ping: sendmsg: Permission denied

 

If I ping from the router to the PA from one end of the /31 to the other, I see the incoming ping in the capture, but the PA doesn't reply (capturing receive, transmit, and firewall).

 

If I ping the PA /31 interface sourcing something beyond the /31 interconnect, I get replies.  If I ping from the PA to anything beyond the /31 interconnect, it is successful.

 

When I run "test routing", I see that the connected route is what is installed in the FIB table for the neighbor's IP.

 

result:           interface ethernet1/22

 

I have no NAT or security policy yet configured, so the policy being hit is the default intrazone allow any.  I can see that in the traffic logs and it shows as allowed.

 

My interface management profile also allows ping (and other protocols) - but that is evidenced by the fact that I can ping and SSH to the interface from hosts beyond the /31 interconnect.

 

I know that /31's work fine because I'm using them on other interfaces and have no issue.

 

The ARP table is also correctly populated on both ends of the connection.

 

Please help.  Thanks!

 

4 REPLIES 4

L0 Member

Weird - switched the interconnect to a /30 and it works now.

 

This is an L3 interface.  I have /31's working fine on tunnel.x interfaces.

 

This is the second inconsistent and/or buggy behavior I've found today.

 

 

Community Team Member

Using /31 was a discussion a while ago :

 

 

Using 31-Bit Prefixes on IPv4 Point-to-Point Links

 

/31 is not supported and a feature request was created.  As far as I can see this was not yet introduced.

Please reach out to your local SE so he can add more weight to this request.

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Apparently this feature is implemented but with a twist. As per https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/layer-3-in... you can set /31 subnet now but 

if you have a subnet e.g 192.168.1.34/31 you have to give the higher address i.e 192.168.1.35 to PAN  and 192.168.1.34 to 

the directly connected device otherwise ping doesn't work.

Documentation is so vague about this detail.

It works. Just todat 20th-August-2022 i configured it on one of ther Interface on PA-3220.

Initially it was not working as there was two layer2 switches, inline. Even it was not working on tagged sub-interface.

I connected Router and Firewall directly. Manually set the firewall's port speed to 100mbps as Router port speed was 100mbps, not 1Gbps and it worked for me.

  • 8678 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!