I have a PAN-OS 6.0.2 box that I upgraded to PAN-OS 6.0.4. I have two vwires: one on interfaces 1/2 and another on 5/6. The vwire on 5/6 did not come up. The interfaces are "up" (green) as far as the web gui is concerned. The "Monitor" shows traffic being "allowed" per the appropriate rules. However, traffic is not flowing.
I have not tried rebooting the device and I don't want to yet... I would like to understand what is broken. Can anyone offer some advice on how to troubleshoot this?
How did you determine firewall is dropping traffic if its allowed in Traffic log ?
Can you do packet capture on those interfaces to confirm the same. Also check for dropped packets if there is any.
I know this is a little extreme, but have you tried another reboot of the system.
I had a situation with a 5k series last year where a power off and on of one of the connected vwire routers caused those same symptoms for the vwire link. no other combination of link bouncing on any of the three devices or reboots helped. We had to reboot the PA to restore the flow.
I would suggest to continue this thread to find root cause of the issue.
Or open a TAC case, if you reboot the device than you will never come to know result.
If you have Link Pass Thru enabled on the VWIRE, try disabling to see if the interfaces still show up on the PAN. It should help during trouble-shooting.. Also, make sure STP on the remote ends is setup correctly, and ensure they enable Portfast if not. Might help if you post information on how the remote ports are configured.
Thank you all for your help with this. The vwire came back up some time after after unplugging and re-plugging the cables (I'm sorry I don't know how long after could have been 1 second or 1 day).
FYI the vwire does have "link pass through" enabled.
0. Traffic is flowing on vwire (verified with ping)
1. Upgrade PAN-OS from 6.0.2 to 6.0.4
2. PAN reboots as part of the upgrade
3. Ping (and other tests) confirm traffic is not flowing on vwire
4. PAN vwire is bypassed to get the network up
5. vwire is attached to a "test network"
6. I stupidly do not re-run step 3 (it is a remote site and we were all scrambling to get the net back up...)
7. monitor shows traffic is flowing on the vwire
8. I finally get around to re-running step 3 and it shows that the wire is back up
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!