VM100 Base config CLI only

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VM100 Base config CLI only

L1 Bithead

HI all,

 

Hope i can find someone amazing out there.

We have a VM100 that can only be configured from CLI as the provider that does not support any way to access a VM or webUI

I spent 4 hours on the phone with Palo Alto support and they could not help me.

Quick Break down.

RobC-AU_0-1603774892727.png

simple /30 link using vlan 948

Palo Alto ip 172.20.0.82 

MPLS ip 172.20.0.81

RobC-AU_1-1603774967244.png

 

Here is the base config i set :

 

set network profiles interface-management-profile Trusted http no https yes ping yes response-pages yes snmp yes ssh yes telnet no
set network profiles interface-management-profile Partner http no https no ping yes response-pages no snmp no ssh no telnet no
set network profiles interface-management-profile Untrusted http no https no ping no response-pages no snmp no ssh no telnet no
set network interface ethernet ethernet1/1 link-state auto link-duplex auto link-speed auto layer3 units ethernet1/1.948 tag 948 interface-management-profile Trusted ip 172.20.0.82/30
set network virutal-router VirutalRouter1 interface ethernet1/1.948
set zone MPLS network layer3 ethernet1/1.948
set deviceconfig system ip-address 10.120.100.254 netmask 255.255.255.0 default-gateway 10.120.100.1 dns-setting servers primary 8.8.8.8 secondary 4.4.4.4

Commit

 

No replies when i ping 

 

Any help would be great.

Just remmeber no webUi 😞 

 

 

5 REPLIES 5

Community Team Member

Hi @RobC-AU ,

 

I have no idea what you've tested with support but I'll go for some of the obvious :

 

How are you pinging ? Are you pinging from the correct source IP or from your management IP and is a security policy required to allow the ping ?

Do you see your ping egressing the correct interface ? Does the ping arrive at the destination ?

Do you see specific global counters rising that could explain why it's failing ?

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi Kiwi,

Thanks for your reply.

I tried pining from the conencted interface EG:

Ping source 172.20.0.82 host 172.20.0.81

 

That way no default interzone transfer rules will block the traffic.

If i do a show coutners i do get Total counter increasing

show counter global filter delta yes 

2.png

 

From the managment interface

ping source 10.120.100.254 host 172.20.0.81

3.png

 

I get no counter increase from managment interface.

 

As for seeing pings at  the other side that is inside the Service providers network and they said they cant tell me what traffic is arrive but they can see traffic increasing when i ping.

 

Currently i have not configured any secuirty policys other then the 3 managment policys.

 

Any help would be great most the time Palo Alto support knock this kinda of stuff out of the park. 

Does the provider block icmp on their device?
Does the provider see an arp entry for your device? If so, does it match the MPLS facing mac address?
Are you connected to the PA via some virtual console or direct SSH? If you're on a console, can you ping 10.120.100.1 from the management interface?

Connecting via a virtual console. And not a great one no copy and paste functions 😞

 

From inside the MPLS network i can ping 172.20.0.81 IP address. 

RobC-AU_0-1603839167344.png

but unable to ping 172.20.0.82

I have configured the network port as a managment port. so i wont be using the gateway of the managment interface.

I made sure that i have a management profile attached to the interface to allow ping and so on.

RobC-AU_1-1603839656175.png

 

I have tried tagged and untagged interfaces on the correct vlans. 😞

Worked it out,

 

set system setting dpdk-pkt-io off

 

then reboot

All working now

Thank you all so much for your help

  • 3016 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!