We have been trying to troubleshoot an issue for a couple weeks now. We seem to have found the issue, but it doesn't make sense. I'm hoping someone can shed some light on this: First off, we have a pair of PAN-4020's in HA @ 3.1.9. I'm going to oversimplify the situation, but I think the logic will hold: Segments A, B and C Segment A is a user segment with 2 routers, in serial, (layer 3 switches) between the test user and the PAN Segment B is our connection to the Internet via a Cisco router connected to the PAN Segment C is a Data Center segment with one router (layer 3 switch) between the servers and the PAN. It's all layer 3, so this doesn't matter much, but Segments A, B and C hit the PAN on different interfaces. Segment C also has a load balancer on it (same device as the layer 3 switch). Users on Segment A are dynamically NAT'd ("many" users to 1 public address) Servers on Segment C are 1:1 static NAT'd Load balancer uses public addresses; All users access the servers via the public address, whether local or from the Internet. ------------ The issue: From a workstation on Segment A, if I web/ssl to a server on Segment C it works fine (there is a policy allowing this) From a workstation on Segment A I can go out on the Internet (obviously also a policy) From a workstation on Segment A, if I try to traceroute to a server (public or private address) on Segment C it fails. This is where the confusion lies .. There is not a policy allowing ping/icmp from A to C. What I don't understand is I do NOT see any failures in the logs from the workstation on A (either its public or private address) to the server on C (also checking both public and private addresses). ALSO, the traceroute goes off to the Internet (Segment B) and eventually fails rather than heading toward Segment C. Lastly, once I do put an explicit policy in place allowing icmp/ping (and SSH for that matter) from Segment A to Segment C, everything is happy. I don't understand how a security policy is impacting routing paths.
... View more