Unexpect single port disconnection from PA-220

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unexpect single port disconnection from PA-220

L1 Bithead

My client's PA 220 cannot reach to his gateway. However, after he has reboot his PA, the connection is back, but only for few hours long! No matter how I have add the MAC address and troubshoot the problem of the system.  I have checked both port on therouter and the port on the PA. I have added the MAC address on the ethernet port. I have even chnaged the port. It doesn't contunuse its connection. I have opened this case for the Paloalto support team, but the support, in his first time support, also thought it's the client's router's problem, but it seems that it might not be the issue there.

9 REPLIES 9

Cyber Elite
Cyber Elite

@CharlesWang,

Does the firewall actually see the port drop, or do you simply lose internet traffic? Is the connection using a static IP or is it using DHCP or PPPoE? 

1. I pinged the gateway but the gateway didn't respond, and the ethernet is up. In addtion, I cannot even ping the same domain ip addresses. I have tried to change the port, but it occurs the same problem.

2. The port is static IP.port.png
ARP PGI.pngarp.pngping.png

 

Remove static arp entry.

> clear arp ethernet1/5

And use same command to ping.

> show arp ethernet 1/5

 

Do you see arp entry for .89?

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I have done what you told me, but it's still not able to reach 61.154.70.89

 

arpnomac.pngarpping.png

(incomplete) means that Palo can't resolve ip to mac address.

You claim that afrer reboot it does and then stops after a while?

What about just disconnecting ethernet1/5 and plugging it back?

 

Connect  patch cable from ethernet1/5 to your laptop.

Start Wireshark on your laptop.

Run ping command.

If packets go out from Palo ethernet1/5 then Wireshark should show arp requests where Palo is trying to resolve 61.154.70.89 to mac address.

If you see those arp requests then issue most likely at ISP side.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yes, after last time reboot, the ethernet 1/5 was able to reach the 70.89 port again, but only for few hours.

 

The client said they have tried to ping the 70.90 port on PA with the laptop, but the PA port didn't reply the ping request.

 

The 70.89 port on the router responded the ping request.

 

 

@CharlesWang,

The PA by default wouldn't respond to a Ping request, you would have needed to enable this on the interface management profile. The wireshark capture as mentioned by @Raido_Rattameister will tell you if the PA is attempting to send the ARP request or not, or if the router isn't responding to an ARP request. 

It's already enabled.

L0 Member
How did you solve this problem in the end?
  • 4787 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!