06-09-2017 05:18 PM
Hi All, I am working with a project, where the firewall (PA-3020) is connected to a DMZ via its sub-interface.
I have two physical Copper interfaces in an aggregated group AE2 with LACP enabled, and then multiple sub-interfaces under that The DMZ sub-interface (ae2.4010) has a subnet of 192.168.66.0/24; however, I am unable to reach the backend servers on the same subnet, unless I add a null static route in the virtual router i.e 192.168.66.0/24 --> Interface: ae2.4010 --> Next Hop: None.
That's quite unusual, because all the other sub-interfaces have no issues, and I don't need to add any null routes to the VR. Does anybody have any clue what the problem might be in this instance?
Thank you
06-10-2017 12:49 PM
06-10-2017 02:36 PM - edited 06-10-2017 02:36 PM
Hi @Remo
I did a modification on my sub-interface just now, for testing purposes.
Instead of adding only the IP address object with no mask in included the subnet mask /24. After that I was able to reach the servers on the same subnet.
It is a weird issue, because the IP address I had configured although not having the mask specified, was part of the same range as all the other backend servers; hence, I assumed it should've worked.
I was running the PAN-OS 7.1.7 before fixing the mask, and then upgraded to PAN-OS 7.1.10 now because I thought it could be a bug, but I was wrong. Bottom line, it works, but you have always to specify the actual mask to the address object.
Thank you
06-11-2017 04:38 PM
I'm surprised the PA does not automatically add the /32 mask to the interface if you plug in just an ip address. This would make the issue more obvious to observe.
glad you have it figured out.
06-10-2017 03:59 AM
Is there an ip address in that subnet configured on the sub interface?
This should create a direct route automatically.
I am assuming the PA is layer 3 for this setup is that right?
06-10-2017 09:54 AM
06-10-2017 12:49 PM
06-10-2017 02:36 PM - edited 06-10-2017 02:36 PM
Hi @Remo
I did a modification on my sub-interface just now, for testing purposes.
Instead of adding only the IP address object with no mask in included the subnet mask /24. After that I was able to reach the servers on the same subnet.
It is a weird issue, because the IP address I had configured although not having the mask specified, was part of the same range as all the other backend servers; hence, I assumed it should've worked.
I was running the PAN-OS 7.1.7 before fixing the mask, and then upgraded to PAN-OS 7.1.10 now because I thought it could be a bug, but I was wrong. Bottom line, it works, but you have always to specify the actual mask to the address object.
Thank you
06-11-2017 04:38 PM
I'm surprised the PA does not automatically add the /32 mask to the interface if you plug in just an ip address. This would make the issue more obvious to observe.
glad you have it figured out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
