This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Gateway side not seeing Satellite published subnet

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Gateway side not seeing Satellite published subnet

jjfranzen
L0 Member

‎07-22-2020 12:57 PM

I've just set up a PA-850 as a satellite to my main 3050 and the connection seems good. All the subnets published by the Gateway can be seen by systems on the Satellite side. However, the subnet being published by the Satellite can't be seen on the Gateway side. According to the Satellite Info section of the GP Gateway, it does see the satellite is publishing the subnet, but I can't ping anything on the subnet, even from the PA-3050's cli. Looking at the runtime routing stats, I do see that subnet as being routed to the next hop of the IP for the IPSec tunnel that was established when the satellite connected. So, even that looks proper. I have rules to allow traffic both to and from the zone created for the satellites, and since I am getting traffic from one direction I have to assume this is some kind of simple misconfig somewhere that is keeping the gateway side from properly routing across the tunnel to the satellite. Any suggestions as to where I can look to nail this down would be appreciated since both of my VAR's PAN experts have been stumped by this...

 

Cheers,

 

J. J. Franzen

0 Likes Likes
1 REPLY 1

jjfranzen
L0 Member

‎07-23-2020 05:18 PM - edited ‎07-23-2020 05:58 PM

I think I sorted this. I had to make a specific zone for the satellite tunnel and rules to pass traffic to and from that zone to the trust, and now I can see the system on the satellite site from the gateway side. Now for the last hurdle.

 

How do I get someone on one satellite to be able to see the systems published by another satellite through a common gateway? 

 

For example, on one satellite, I have a subnet of 192.168.5.0/24 being published down the tunnel.

On another, I have 10.0.5.0/24 being published. 

 

The gateway can see systems on both of the respective subnets. However, systems on one satellite subnet can NOT see systems on the other satellite subnet. Do I need to add some kind of routing or NAT to bridge the two? I had hoped the gateway would handle all that...

0 Likes Likes
  • 1977 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks