So lets assume I am network engineer and I understand routing, because I do. Eth1/1 - Zone Untrust IP:10.153.1.6/29 AE1 - Zone Trust IP:10.153.0.1/29 Vrouter - default - Static route - 0.0.0.0/0 next hop 10.153.1.1/29 (CloudGenix SD-WAN) AE1 connected to Layer 3 Cisco 3650. Ports connected to AE1 Interfaces on vlan 3101. Cisco Switch has interface vlan 3101 IP:10.153.0.2. Default route on Cisco switch 0.0.0.0 0.0.0.0 10.153.0.1 Palo Alto Vrouter peering OSPF with Cisco layer 3 switch for all internal networks. Eth1/1 is connected to a switch that is bridging the active/passive PAs with the CloudGenix SD-WAN device (all on vlan 3000) I created an SVI on this switch: interface vlan 3000 IP: 10.153.1.2. From firewall CLI: admin@CEN-EDGE-PA-01(active)> ping source 10.153.1.6 host 10.153.1.2 PING 10.153.1.2 (10.153.1.2) from 10.153.1.6 : 56(84) bytes of data. --- 10.153.1.2 ping statistics --- 30 packets transmitted, 0 received, 100% packet loss, time 29015ms So this is telling me the outside interface of palos cannot even get to the connected switch..... Interfaces have Mgmt profile that is allowing network services SNMP and Ping Policy allows ICMP and traceroute. Routing says default route to SD-WAN device, routes to internal subnets are 10.153.0.2 which is SVI on cisco 3650 connected to AE1 interfaces on Palo.
... View more