Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-17-2012 10:16 AM
Hello to everyone,
recently I installed new VM100 on ESXi 5.0 infrastructure, but during initial configuration I noticed that L3 subinterfaces cannot forward any traffic, even I configured virtual router and policy with permit all-any statement between two sub's (zones). On VMware side on distributed switch I created trunk portgroup with 2 vlan's, and map third interface on VM profile (ethernet 1/2 on VM100) to that port group. On VM100 I split eth1/2 like L3 on two subinterfaces and bound them IP addresses, vlan tags and Vrouter. MAC address for both subinterfaces is the same and inherited from parent physical Eth1/2 and that is visible on both vlan's (mac tables on external cisco switches). Explicit policy was applied to forward any traffic between this two subinterfaces but nothing are forwarded. From CLI, only I can see that passing between two subinterfaces is ping (#ping source (IP of one subint) host (IP of second subint), but that is inside routing engine.
If anyone have similar experience, please advise before I open support case.....
02-05-2013 04:35 AM
problem solved in way that PAN-VM interfaces MAC's need to be nested on VM profile and override VMware generic MAC's for every particular interface except Mgmt, otherwise it can't forward traffic at all.
12-17-2012 10:21 AM
Did you apply the license? It needs a valid license to fwd traffic.
12-17-2012 11:42 AM
Hi,
yes I applied all necessary licenses, obtain serial number and upgrade to 5.0.1 ver.....
02-05-2013 04:35 AM
problem solved in way that PAN-VM interfaces MAC's need to be nested on VM profile and override VMware generic MAC's for every particular interface except Mgmt, otherwise it can't forward traffic at all.
02-05-2013 05:53 PM
ie: you need to enable "promiscuous mode" on the portgroup/v-switch where firewall dataplane interfaces are connected. VMware has this disabled by default.
02-05-2013 11:57 PM
Hi,
I already done this (promiscuous mode>accept), but even I do that, interfaces can't forward until I override MAC adresses in VM profile....
03-13-2013 01:30 PM
Can we get an example of "nested MACs"?
05-31-2013 06:35 AM
Wht do you mean by "nesting on VM profile" ?
05-31-2013 07:09 AM
Get a list of all of the interfaces & MAC addresses from PAN-OS by the cli command "show interfaces all". Then shutdown the VM-Series firewall "request shutdown system". Finally, edit the virtual machine guest and take the MAC addresses that were listed in PAN-OS and hard code those into the virtual machine. Instead of "Automatic" change it to "Manual" and use the PAN-OS provided MAC address.
Keep in mind that "Network adapter 1" is the management interface. So "Network adapter 2" should map to PAN-OS Ethernet1/1, and go from there.
05-31-2013 07:18 AM
There is something I did not understand here.
when I look from esx ı see ethernet's Mac is automatic that is ok.And there are mac's inside the box.
when I turn on Vm and from cli show interface all
I see different mac addresses which starts with 00:1b:17:xx:xx:xx
is there a way to change this mac ?
I also tried manual but nothing change always same mac comes.
06-01-2013 01:31 AM
no, you cannot change this MAC's.... They generated in moment when you license and register your device. Only first interface (on VM profile - Network adapter 1) has MAC from VMware pool and that is Mgmt interface and every additional interface (from adapter 2 to 10) need to be overridden with manual MAC's you find from CLI command "sh int all". Only when you register your device and put MAC's from PAN pool on VM profile, they forward traffic.
10-22-2013 03:16 PM
Hi All,
I'm facing the same problem.
The thing is: the vswitch is in promiscuous mode, i've set the pan-vm mac adresses manually in the vm settings and the pan-vm is licensed.
Any ideas to troubleshoot this?
Any help would be appreciated.
10-22-2013 10:27 PM
Hi,
VM app in a moment of licensing generate their own pool (pan vendor specific) of Mac addresses, so I think that you need set that Mac's on VM profile. Only mgmt interface can be auto assign and bound from vmware Mac pool.
08-19-2015 12:45 PM
Just to add- I have no issues unitl I use L3 Subinterfaces.
I have verified the tags are set, the MAC is set and still not passing traffic.
So I wonder, aside from the tag, if there are L3 Subinterface related settings wemight be missing?
Cheers-
Don
08-20-2015 08:59 AM
Hello again, I found the isue after a night's rest. I need to goto the VirtualSwitch Properties and set teh vlan tag to " all (4095) .
Now I am good to go.
regards,
Don
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
