Any help is appreciated...
I have a PA interface connected to a router using a /31. I have static routes with that router as the next hop. From the firewall interface on the /31 interconnect, I can reach all of the destinations I have static routes for. I can't, however reach the router's IP on the directly connected /31. When I try to ping from the PA sourcing its /32 interconnect address, it gives me:
ping: sendmsg: Permission denied
If I ping from the router to the PA from one end of the /31 to the other, I see the incoming ping in the capture, but the PA doesn't reply (capturing receive, transmit, and firewall).
If I ping the PA /31 interface sourcing something beyond the /31 interconnect, I get replies. If I ping from the PA to anything beyond the /31 interconnect, it is successful.
When I run "test routing", I see that the connected route is what is installed in the FIB table for the neighbor's IP.
result: interface ethernet1/22
I have no NAT or security policy yet configured, so the policy being hit is the default intrazone allow any. I can see that in the traffic logs and it shows as allowed.
My interface management profile also allows ping (and other protocols) - but that is evidenced by the fact that I can ping and SSH to the interface from hosts beyond the /31 interconnect.
I know that /31's work fine because I'm using them on other interfaces and have no issue.
The ARP table is also correctly populated on both ends of the connection.
Please help. Thanks!
Weird - switched the interconnect to a /30 and it works now.
This is an L3 interface. I have /31's working fine on tunnel.x interfaces.
This is the second inconsistent and/or buggy behavior I've found today.
Using /31 was a discussion a while ago :
/31 is not supported and a feature request was created. As far as I can see this was not yet introduced.
Please reach out to your local SE so he can add more weight to this request.
Hope this helps,
Apparently this feature is implemented but with a twist. As per https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/layer-3-in... you can set /31 subnet now but
if you have a subnet e.g 192.168.1.34/31 you have to give the higher address i.e 192.168.1.35 to PAN and 192.168.1.34 to
the directly connected device otherwise ping doesn't work.
Documentation is so vague about this detail.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!