11-27-2018 12:47 AM
My client's PA 220 cannot reach to his gateway. However, after he has reboot his PA, the connection is back, but only for few hours long! No matter how I have add the MAC address and troubshoot the problem of the system. I have checked both port on therouter and the port on the PA. I have added the MAC address on the ethernet port. I have even chnaged the port. It doesn't contunuse its connection. I have opened this case for the Paloalto support team, but the support, in his first time support, also thought it's the client's router's problem, but it seems that it might not be the issue there.
11-27-2018 10:36 AM
Does the firewall actually see the port drop, or do you simply lose internet traffic? Is the connection using a static IP or is it using DHCP or PPPoE?
11-28-2018 01:21 AM
1. I pinged the gateway but the gateway didn't respond, and the ethernet is up. In addtion, I cannot even ping the same domain ip addresses. I have tried to change the port, but it occurs the same problem.
2. The port is static IP.
11-28-2018 09:58 AM
Remove static arp entry.
> clear arp ethernet1/5
And use same command to ping.
> show arp ethernet 1/5
Do you see arp entry for .89?
11-28-2018 05:34 PM
I have done what you told me, but it's still not able to reach 61.154.70.89
11-28-2018 07:05 PM
(incomplete) means that Palo can't resolve ip to mac address.
You claim that afrer reboot it does and then stops after a while?
What about just disconnecting ethernet1/5 and plugging it back?
Connect patch cable from ethernet1/5 to your laptop.
Start Wireshark on your laptop.
Run ping command.
If packets go out from Palo ethernet1/5 then Wireshark should show arp requests where Palo is trying to resolve 61.154.70.89 to mac address.
If you see those arp requests then issue most likely at ISP side.
11-28-2018 08:12 PM
Yes, after last time reboot, the ethernet 1/5 was able to reach the 70.89 port again, but only for few hours.
The client said they have tried to ping the 70.90 port on PA with the laptop, but the PA port didn't reply the ping request.
The 70.89 port on the router responded the ping request.
11-29-2018 06:52 AM
The PA by default wouldn't respond to a Ping request, you would have needed to enable this on the interface management profile. The wireshark capture as mentioned by @Raido_Rattameister will tell you if the PA is attempting to send the ARP request or not, or if the router isn't responding to an ARP request.
11-29-2018 05:05 PM
It's already enabled.
02-02-2021 06:35 PM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
