Virtual Wire silently discarding packets directed to ip addresses of a L3 interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Virtual Wire silently discarding packets directed to ip addresses of a L3 interface

L1 Bithead

I have a PA-4020 with PanOS 4.0.3. Policies are mailnly applied to traffic flowing through two parallel Virtual Wires. I have also defined some L3 interfaces , in order to set up some SSL-VPNs. I have noticed that packets whose destination IP address is the IP address of an L3 interface are not allowed to go through the Virtual Wires, even if my policies permit their transit. There is non trace of the discarded packets in the logs. I suspect this is a bug. Did others experiment the same problem?

6 REPLIES 6

L4 Transporter

You going to need to provide some topology information. Your description sounds as though you have two L3 interfaces in parallel with two sets of vwire interfaces. If you are convinced this is a bug it will require a case be opened with technical support so that it can be reproduced and a bug generated so that it can be fixed.

~Phil

I've enclosed a picture showing my setup. In the situation described in the picture, pings sent from 146.48.99.254 to 146.48.99.251 time out. All other pings from 146.48.99.254 to other addresses in subnet 146.48.96.0/22 succeed. If the virtual wire is bypassed, 146.48.99.254 can ping also 146.48.99.251.

My intention was to use 146.48.99.251 as a gateway for an SSL-VPN. I have found a work-around, so I can survive even with this strange behaviour of the PA-4020.

Before submitting a case, I would like to know if my planned setup was wrong.

cnrpisa wrote:

I've enclosed a picture showing my setup. In the situation described in the picture, pings sent from 146.48.99.254 to 146.48.99.251 time out. All other pings from 146.48.99.254 to other addresses in subnet 146.48.96.0/22 succeed. If the virtual wire is bypassed, 146.48.99.254 can ping also 146.48.99.251.

My intention was to use 146.48.99.251 as a gateway for an SSL-VPN. I have found a work-around, so I can survive even with this strange behaviour of the PA-4020.

Before submitting a case, I would like to know if my planned setup was wrong.

cnrpisa,

Do you have a managment profile that allows ping applied to interface e1/1.96 on the PA-4020?  It sounds like this is the problem based on the information you've provided.  Remember, the firewall's interface will not reply to pings without a management profile that allows ping applied to that interface.

Best Regards,

Jared

The management profile of Ethernet1/1.96 is OK. The proof is that when I bypass the Virtual Wire by connecting the M7i directly to the LAN switch all pings succeed.

Does your monitor show the ping? Can you see the session from the CLI?

"show session all filter source xxx.xxx.xxx.xxx application ping"

L1 Bithead

The problem has been eliminated in version 4.0.5.

  • 4633 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!