06-04-2013 12:59 AM
Hello,
We are using PA3020 in L3 A/P cluster mode. PanOS is release 5.0.2.
We are using static routes to reach our different subnets.
When trying to check a route destination to verify the path using the CLI, nothing is shown as there was no route for this particular destination :
TSadmin@PA-3020_M(active)> show routing route destination 10.198.30.5/32
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2
VIRTUAL ROUTER: Trust-VR (id 2)
==========
destination nexthop metric flags age interface next-AS
total routes shown: 0
VIRTUAL ROUTER: Untrust-VR (id 3)
==========
destination nexthop metric flags age interface next-AS
total routes shown: 0
TSadmin@PA-3020_M(active)>
TSadmin@PA-3020_M(active)> show routing route destination 193.135.106.162/32
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2
VIRTUAL ROUTER: Trust-VR (id 2)
==========
destination nexthop metric flags age interface next-AS
total routes shown: 0
VIRTUAL ROUTER: Untrust-VR (id 3)
==========
destination nexthop metric flags age interface next-AS
total routes shown: 0
TSadmin@PA-3020_M(active)>
However there are adequates routes for these destinations :
TSadmin@PA-3020_M(active)> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2
VIRTUAL ROUTER: Trust-VR (id 2)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 10.198.1.190 10 A S ethernet1/3
10.100.242.212/32 10.198.1.1 10 A S ethernet1/1
10.120.0.0/16 10.198.1.1 10 A S ethernet1/1
10.180.13.0/24 10.198.1.1 10 A S ethernet1/1
10.198.1.0/26 10.198.1.62 0 A C ethernet1/1
10.198.1.62/32 0.0.0.0 0 A H
10.198.1.64/26 10.198.1.126 0 A C ethernet1/2
10.198.1.126/32 0.0.0.0 0 A H
10.198.1.128/26 10.198.1.129 0 A C ethernet1/3
10.198.1.129/32 0.0.0.0 0 A H
10.198.8.0/21 10.198.1.65 10 A S ethernet1/2
10.198.17.0/24 vr Untrust-VR 10 A S Trust-VR/i3
10.198.30.0/23 10.198.30.1 0 A C ethernet1/12
10.198.30.1/32 0.0.0.0 0 A H
10.200.70.0/24 10.198.1.1 10 A S ethernet1/1
10.200.228.0/24 10.198.1.1 10 A S ethernet1/1
...
172.30.0.0/16 10.198.1.1 10 A S ethernet1/1
194.11.240.0/24 10.198.1.1 10 A S ethernet1/1
total routes shown: 81
VIRTUAL ROUTER: Untrust-VR (id 3)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 vr Trust-VR 10 A S Untrust-VR/i3
10.198.17.0/24 10.198.17.254 0 A C ethernet1/4
10.198.17.254/32 0.0.0.0 0 A H
total routes shown: 3
TSadmin@PA-3020_M(active)>
Is it a weird known bug ???
I have to say that it is very problematic since we have dozen of static routes to check...
Kind Regards,
Laurent
06-04-2013 01:36 AM
Hi,
Thanks for your help, however it just display the ouitgoing interface for the route, not the next-hop or next-vr.
TSadmin@PA-3020_M(active)> test routing fib-lookup ip 193.135.106.162 virtual-router Trust-VR
--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router: Trust-VR
destination: 193.135.106.162
result: interface ethernet1/3
--------------------------------------------------------------------------------
TSadmin@PA-3020_M(active)> test routing fib-lookup ip 193.135.106.162 virtual-router Untrust-VR
--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router: Untrust-VR
destination: 193.135.106.162
result: interface ethernet1/3
--------------------------------------------------------------------------------
TSadmin@PA-3020_M(active)>
Moreover, the result for Untrust-VR is wrong since you can't chose an outgoing interface that is part of another VR (in this case eth1/3 is part of Trust-VR and when I try to add a static route in Untrust-VR using outgoing interface eth1/3 I got a message "can't use a route that is bound to another VR"
Regards,
06-04-2013 01:47 AM
Two thing, forst, for your next hop, traceroute command eexiste in the palo and you can specify many parameters.
Concerning your VR, of course you can't specify in a VR an outgoing gateway interface which is not part of the same VR.
- Use VLan on Eth1/3 interface each sub part of a dedicate VR (Trust-VR / Untrust-VR)
- Specify another VR as gateway.
V.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
