PA firewall conencting to the CISCO router in VRF lite

Tech_pp · ‎01-04-2023

Trying to connect a cisco 9300 device with 2 VRF's accross the PA firewall. the PA firewall can not ping the attached 9300 interface in a VRF. IF the interface is taken out of the VRF the connectivity works.

Dose any one know whats causing this

TomYoung · ‎01-04-2023

Hi @Tech_pp ,

Given the small amount of information, I have to make certain assumptions.

If you can ping outside the VRF...

the interface and VLAN configurations are probably correct, and
L2 connectivity is good, and
the Management Profile (if pinging the NGFW) is probably correct.

It sounds like an issue with the C9300. No changes are made on the NGFW between working and not. You may need to go to the Cisco forum. However, I will add a couple thoughts.

Placing a VLAN interface inside a VRF is only one command, "ip vrf forwarding VRF_NAME", and it would fail if the VRF were not created. You should get a warning the IP address has been removed and needs to be re-added.

Network Advantage is required for VRFs on the C9300. What does "show license summary" show on your C9300? I don't know if you would get an error if you tried to create a VRF without the proper license.

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

Tech_pp · ‎01-04-2023

Hi Tom,

The setup Is as below

PA firewall is connected with point to point physical connections to a 9300
1 connection (Inside) is in 1 VRF and the other (Outside) in the other VRF (Default)

I cant ping from the other end of the link from the firewall when the interface on the 9300 is in a VRF, if I move it out of the ver and place it in the default the IP reachability is established.

Is there a specific config I am missing or required on the PA for connecting into a VRF? I did not think so since VRF is a local concept. (The PA are in active/active setup). I can't get this connectivity for Primary as well as secondary)

The config on the 9300 is good in my opinion
Interface is allocated to a VRF and given an IP address (/30)

Thanks & best regards
Prasanna Patki
#CCIE (RS, Sec, DC)

TomYoung · ‎01-04-2023

Hi @Tech_pp ,

Could you verify the license on the C9300 as requested before? That's the only thing I can think of right now.

So you are placing the IP addresses on the interfaces and not using VLANs? Then what I said earlier still applies to the physical interfaces and not the VLAN interfaces.

You are correct in that no configuration is required on the NGFW for the VRF. The VRF is local to the C9300.

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

Tech_pp · ‎01-04-2023

The cat is having an advantage License.

The ip is on a l3 point to point no svi's

My thoughts as well. it is in my lab so will go through it again to see what the issue is. May be some thing to do with clustering Active/Active

Will keep yo uposted here

Regards

Prasanna

Unlock your full community experience!

PA firewall conencting to the CISCO router in VRF lite

PA firewall conencting to the CISCO router in VRF lite

Show your appreciation!