10-26-2020 10:14 PM
Hope i can find someone amazing out there.
We have a VM100 that can only be configured from CLI as the provider that does not support any way to access a VM or webUI
I spent 4 hours on the phone with Palo Alto support and they could not help me.
Quick Break down.
simple /30 link using vlan 948
Palo Alto ip 172.20.0.82
MPLS ip 172.20.0.81
Here is the base config i set :
set network profiles interface-management-profile Trusted http no https yes ping yes response-pages yes snmp yes ssh yes telnet no
set network profiles interface-management-profile Partner http no https no ping yes response-pages no snmp no ssh no telnet no
set network profiles interface-management-profile Untrusted http no https no ping no response-pages no snmp no ssh no telnet no
set network interface ethernet ethernet1/1 link-state auto link-duplex auto link-speed auto layer3 units ethernet1/1.948 tag 948 interface-management-profile Trusted ip 172.20.0.82/30
set network virutal-router VirutalRouter1 interface ethernet1/1.948
set zone MPLS network layer3 ethernet1/1.948
set deviceconfig system ip-address 10.120.100.254 netmask 255.255.255.0 default-gateway 10.120.100.1 dns-setting servers primary 220.127.116.11 secondary 18.104.22.168
No replies when i ping
Any help would be great.
Just remmeber no webUi 😞
10-27-2020 06:02 AM
Hi @RobC-AU ,
I have no idea what you've tested with support but I'll go for some of the obvious :
How are you pinging ? Are you pinging from the correct source IP or from your management IP and is a security policy required to allow the ping ?
Do you see your ping egressing the correct interface ? Does the ping arrive at the destination ?
Do you see specific global counters rising that could explain why it's failing ?
10-27-2020 06:58 AM
Thanks for your reply.
I tried pining from the conencted interface EG:
Ping source 172.20.0.82 host 172.20.0.81
That way no default interzone transfer rules will block the traffic.
If i do a show coutners i do get Total counter increasing
show counter global filter delta yes
From the managment interface
ping source 10.120.100.254 host 172.20.0.81
I get no counter increase from managment interface.
As for seeing pings at the other side that is inside the Service providers network and they said they cant tell me what traffic is arrive but they can see traffic increasing when i ping.
Currently i have not configured any secuirty policys other then the 3 managment policys.
Any help would be great most the time Palo Alto support knock this kinda of stuff out of the park.
10-27-2020 02:20 PM
Does the provider block icmp on their device?
Does the provider see an arp entry for your device? If so, does it match the MPLS facing mac address?
Are you connected to the PA via some virtual console or direct SSH? If you're on a console, can you ping 10.120.100.1 from the management interface?
10-27-2020 09:17 PM
Connecting via a virtual console. And not a great one no copy and paste functions 😞
From inside the MPLS network i can ping 172.20.0.81 IP address.
but unable to ping 172.20.0.82
I have configured the network port as a managment port. so i wont be using the gateway of the managment interface.
I made sure that i have a management profile attached to the interface to allow ping and so on.
I have tried tagged and untagged interfaces on the correct vlans. 😞
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!