I'm trying to bring up a new PAN-OS 11.1 instances in AWS, installed from aws-marketplace/PA-VM-AWS-11.1.0-f1260463-68e1-4bfb-bf2e-075c2664c1d7. I am able to reach the management IP address, both SSH and the web UI are working. However the two intended network interfaces never appear in "show interface all" nor in the UI Network > Interfaces > Ethernet.
I created three subnets within the VPC and three Elastic Network Interfaces, which are attached to the EC2 instance.
From the AWS EC2 instance tab:
|
Interface ID
|
Description
|
IPv4 Prefixes
|
IPv6 Prefixes
|
Public IPv4 address
|
Private IPv4 address
|
Attachment status
|
VPC ID
|
Subnet ID
|
Source / destination check
|
Security groups
|
Interface type
|
|---|---|---|---|---|---|---|---|---|---|---|---|
|
eni-09c...
|
MGMT | – | – | 52.25.x.y | 10.0.6.71 | attached |
vpc-0d2...b90
|
subnet-036...
|
enabled |
sg-093...
|
Elastic network interface |
|
eni-062...
|
WAN | – | – | 35.82.x.y | 10.0.64.130 | attached |
vpc-0d2...b90
|
subnet-025...
|
disabled |
sg-083...
|
Elastic network interface |
|
eni-06b...
|
LAN | – | – | – | 10.0.137.103 | attached |
vpc-0d2...b90
|
subnet-03c...
|
disabled |
sg-07f...
|
Elastic network interface |
--------
In "show system state" I see the MAC addresses of the Elastic Network Interfaces I expect. sys.s1.p1.hwaddr is the MAC address of eni-062... intended for the WAN, and sys.s1.p2.hwaddr is the MAC address of eni-06b... intended for the LAN.
admin@PA-VM> show system state
…
sys.s1.p1.bus: 0000:00:06.0
sys.s1.p1.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, 10Gb/s-half, 10Gb/s-full, 25Gb/s-half, 25Gb/s-full, 40Gb/s-half, 40Gb/s-full, 100Gb/s-half, 100Gb/s-full, ]
sys.s1.p1.cfg: { 'breakout': False, 'fec': 0, 'mode': Disabled, 'pause-frames': True, 'setting': auto, }
sys.s1.p1.detail: { }
sys.s1.p1.driver: net_ena
sys.s1.p1.eni:
sys.s1.p1.hwaddr: 06:71:1a:54:54:9d
sys.s1.p1.mtu: 1504
sys.s1.p1.phy: { 'link-partner': { }, 'media': CAT5, 'type': Ethernet, }
sys.s1.p1.rate: { 'duration': 28560, 'last-sample': 2023-12-23 22:18:40, 'rx-broadcast': 0, 'rx-bytes': 0, 'rx-multicast': 0, 'rx-unicast': 0, 'tx-broadcast': 0, 'tx-bytes': 0, 'tx-multicast': 0, 'tx-unicast': 0, }
sys.s1.p1.state: board_port_autoneg
sys.s1.p1.stats: { 'link-down': 0, 'rx-broadcast': 0, 'rx-bytes': 22824, 'rx-discards': 0, 'rx-error': 0, 'rx-missed-error': 0, 'rx-multicast': 0, 'rx-unicast': 523, 'tx-broadcast': 0, 'tx-bytes': 0, 'tx-error': 0, 'tx-multicast': 0, 'tx-unicast': 0, }
sys.s1.p1.status: { 'link': Down, 'mode': Disabled, 'pause-frames': True, 'setting': Unknown, 'type': RJ45, }
…
sys.s1.p2.bus: 0000:00:07.0
sys.s1.p2.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, 10Gb/s-half, 10Gb/s-full, 25Gb/s-half, 25Gb/s-full, 40Gb/s-half, 40Gb/s-full, 100Gb/s-half, 100Gb/s-full, ]
sys.s1.p2.cfg: { 'breakout': False, 'fec': 0, 'mode': Disabled, 'pause-frames': True, 'setting': auto, }
sys.s1.p2.detail: { }
sys.s1.p2.driver: net_ena
sys.s1.p2.eni:
sys.s1.p2.hwaddr: 06:62:fb:e5:5e:9f
sys.s1.p2.mtu: 1504
sys.s1.p2.phy: { 'link-partner': { }, 'media': CAT5, 'type': Ethernet, }
sys.s1.p2.rate: { 'duration': 28560, 'last-sample': 2023-12-23 22:18:40, 'rx-broadcast': 0, 'rx-bytes': 0, 'rx-multicast': 0, 'rx-unicast': 0, 'tx-broadcast': 0, 'tx-bytes': 0, 'tx-multicast': 0, 'tx-unicast': 0, }
sys.s1.p2.state: board_port_autoneg
sys.s1.p2.stats: { 'link-down': 0, 'rx-broadcast': 0, 'rx-bytes': 21252, 'rx-discards': 0, 'rx-error': 0, 'rx-missed-error': 0, 'rx-multicast': 0, 'rx-unicast': 506, 'tx-broadcast': 0, 'tx-bytes': 0, 'tx-error': 0, 'tx-multicast': 0, 'tx-unicast': 0, }
sys.s1.p2.status: { 'link': Down, 'mode': Disabled, 'pause-frames': True, 'setting': Unknown, 'type': RJ45, }
However no interfaces appear in "show interface all" and the Web UI never shows their status as green.
admin@PA-VM> show interface all
total configured hardware interfaces: 0
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
aggregation groups: 0
total configured logical interfaces: 0
name id vsys zone forwarding tag address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
--------
In other posts I've read that this means the interface is not configured. I set the interface type of the first two Ethernet interfaces to Layer3, created a management profile which allows ICMP ping, and set their IP address to use DHCP.
The ENI which I'm intending as the WAN interface has a public IPv4 Elastic IP address associated with it, which I would expect means AWS should respond to a DHCP request for that interface at least.
--------
I've rebooted the EC2 instance multiple times, including going all the way to Stopping the instance and then Starting it again to ensure any new device tree will be properly handled at boot.
I'm running out of ideas of what to try. What else could be preventing PAN from seeing these links as configured and active?
