Route checking using CLI issue ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Route checking using CLI issue ?

L3 Networker

Hello,

We are using PA3020 in L3  A/P cluster mode. PanOS is release 5.0.2.

We are using static routes to reach our different subnets.

When trying to check a route destination to verify the path using the CLI, nothing is shown as there was no route for this particular destination :

TSadmin@PA-3020_M(active)> show routing route destination 10.198.30.5/32

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,

       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2

VIRTUAL ROUTER: Trust-VR (id 2)

  ==========

destination                                 nexthop                                 metric flags      age   interface          next-AS

total routes shown: 0

VIRTUAL ROUTER: Untrust-VR (id 3)

  ==========

destination                                 nexthop                                 metric flags      age   interface          next-AS

total routes shown: 0

TSadmin@PA-3020_M(active)>

TSadmin@PA-3020_M(active)> show routing route destination 193.135.106.162/32

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,

       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2

VIRTUAL ROUTER: Trust-VR (id 2)

  ==========

destination                                 nexthop                                 metric flags      age   interface          next-AS

total routes shown: 0

VIRTUAL ROUTER: Untrust-VR (id 3)

  ==========

destination                                 nexthop                                 metric flags      age   interface          next-AS

total routes shown: 0

TSadmin@PA-3020_M(active)>

However there are adequates routes for these  destinations :

TSadmin@PA-3020_M(active)> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,

       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2

VIRTUAL ROUTER: Trust-VR (id 2)

  ==========

destination                                 nexthop                                 metric flags      age   interface          next-AS

0.0.0.0/0                                   10.198.1.190                            10     A S              ethernet1/3

10.100.242.212/32                           10.198.1.1                              10     A S              ethernet1/1

10.120.0.0/16                               10.198.1.1                              10     A S              ethernet1/1

10.180.13.0/24                              10.198.1.1                              10     A S              ethernet1/1

10.198.1.0/26                               10.198.1.62                             0      A C              ethernet1/1

10.198.1.62/32                              0.0.0.0                                 0      A H

10.198.1.64/26                              10.198.1.126                            0      A C              ethernet1/2

10.198.1.126/32                             0.0.0.0                                 0      A H

10.198.1.128/26                             10.198.1.129                            0      A C              ethernet1/3

10.198.1.129/32                             0.0.0.0                                 0      A H

10.198.8.0/21                               10.198.1.65                             10     A S              ethernet1/2

10.198.17.0/24                              vr Untrust-VR                           10     A S              Trust-VR/i3

10.198.30.0/23                              10.198.30.1                             0      A C              ethernet1/12

10.198.30.1/32                              0.0.0.0                                 0      A H

10.200.70.0/24                              10.198.1.1                              10     A S              ethernet1/1

10.200.228.0/24                             10.198.1.1                              10     A S              ethernet1/1

...

172.30.0.0/16                               10.198.1.1                              10     A S              ethernet1/1

194.11.240.0/24                             10.198.1.1                              10     A S              ethernet1/1

total routes shown: 81

VIRTUAL ROUTER: Untrust-VR (id 3)

  ==========

destination                                 nexthop                                 metric flags      age   interface          next-AS

0.0.0.0/0                                   vr Trust-VR                             10     A S              Untrust-VR/i3

10.198.17.0/24                              10.198.17.254                           0      A C              ethernet1/4

10.198.17.254/32                            0.0.0.0                                 0      A H

total routes shown: 3

TSadmin@PA-3020_M(active)>

Is it a weird known bug ???

I have to say that it is very problematic since we have dozen of static routes to check...

Kind Regards,

Laurent

3 REPLIES 3

L5 Sessionator

Hi,

For testing, try with the commande : test routing fib-lookup ip X.X.X.X virtual-router VRName

V.

Hi,

Thanks for your help, however it just display the ouitgoing interface for the route, not the next-hop or next-vr.

TSadmin@PA-3020_M(active)> test routing fib-lookup ip 193.135.106.162 virtual-router Trust-VR

--------------------------------------------------------------------------------

runtime route lookup

--------------------------------------------------------------------------------

virtual-router:   Trust-VR

destination:      193.135.106.162

result:           interface ethernet1/3

--------------------------------------------------------------------------------

TSadmin@PA-3020_M(active)> test routing fib-lookup ip 193.135.106.162 virtual-router Untrust-VR

--------------------------------------------------------------------------------

runtime route lookup

--------------------------------------------------------------------------------

virtual-router:   Untrust-VR

destination:      193.135.106.162

result:           interface ethernet1/3

--------------------------------------------------------------------------------

TSadmin@PA-3020_M(active)>

Moreover, the result for Untrust-VR is wrong since you can't chose an outgoing interface that is part of another VR (in this case eth1/3 is part of Trust-VR and when I try to add a static route in Untrust-VR using outgoing interface eth1/3 I got a message "can't use a route that is bound to another VR"

Regards,

Two thing, forst, for your next hop, traceroute command eexiste in the palo and you can specify many parameters.

Concerning your VR, of course you can't specify in a VR an outgoing gateway interface which is not part of the same VR.

     - Use VLan on Eth1/3 interface each sub part of a dedicate VR (Trust-VR / Untrust-VR)

     - Specify another VR as gateway.

V.

  • 4123 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!