This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

About Susan_Avxt

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Susan_Avxt
‎12-19-2020
since ‎12-15-2020
L1 Bithead
User Activity
User Profile
User Badges
Community Statistics
Member Since ‎12-15-2020 09:41 PM
Date Last Visited ‎12-19-2020 02:49 PM
Posts 5

Re: Ping Packets dropped: forwarded to different zone

by in General Topics
‎12-16-2020 11:33 PM
‎12-16-2020 11:33 PM
This the first topology previous post didn't show correctly. ... View more

Ping Packets dropped: forwarded to different zone

by in General Topics
‎12-16-2020 11:31 PM
‎12-16-2020 11:31 PM
    1. All the units in above diagram are AWS EC2s. Pinging from Ubuntu10_20_61_16     to Ubuntu10_60_0_100 failed due to echo reply dropped on PA-VM.   admin@PA-VM> show counter global filter packet-filter yes delta yes severity drop Global counters: Elapsed time since last sampling: 1.16  seconds name                                   value     rate severity  category  aspect    description -------------------------------------------------------------------------------- flow_fwd_zonechange    1      0 drop      flow      forward   Packets dropped: forwarded to different zone -------------------------------------------------------------------------------- Total counters shown: 1   2. Following is the routing info.   admin@PA-VM> show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,        Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast VIRTUAL ROUTER: vr1 (id 1)   ========== destination                                 nexthop                                 metric flags      age   interface          next-AS 0.0.0.0/0                                   10.20.10.1                              10     A S              ethernet1/1 10.20.10.0/24                           10.20.10.50                             0      A C              ethernet1/1 10.20.10.50/32                         0.0.0.0                                     0      A H 10.20.61.0/24                          10.20.61.195                            0      A C              ethernet1/2 10.20.61.195/32                      0.0.0.0                                      0      A H 10.60.0.0/24                            0.0.0.0                                     10     A S              tunnel.1 total routes shown: 6   3. Following is the Zones info   4. Following is the security policies info.    5. From the log below, we can see when ping from 10.20.61.16 to 10.60.0.100. it is from Pub-zone to VPN zone. ping packet goes from e1/2 to e1/1, then e1/1 goes to tunnel.1. But seems ping reply didn't take path, tunnel.1-->e1/1--->e1/2.   admin@PA-VM> test routing fib-lookup ip 10.20.61.16 virtual-router vr1 -------------------------------------------------------------------------------- runtime route lookup -------------------------------------------------------------------------------- virtual-router: vr1 destination: 10.20.61.16 result: interface ethernet1/2, source 10.20.61.195 -------------------------------------------------------------------------------- 6. Guess ping reply didn't  go the right path. So got "Packets dropped: forwarded to different zone". 7. There is no NAT rules on PA-VM. How to fix this issue? Thanks for sharing your thoughts! ... View more

Re: Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

by in General Topics
‎12-16-2020 09:49 PM
‎12-16-2020 09:49 PM
I found the issue. I need to set "change Sourece/Dest. Check" disable on the Network Interfaces.  ... View more

Re: Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

by in General Topics
‎12-16-2020 09:54 AM
‎12-16-2020 09:54 AM
Thanks, Laurence64. Following is the information. PA-VM side: routing   min@PA-VM> show routing route VIRTUAL ROUTER: vr1 (id 1) ==========ive, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, destination nexthop metric flags age interface next-AS 0.0.0.0/0 10.20.10.1 10 A S ethernet1/1 10.20.0.0/16 10.20.61.61 10 A S ethernet1/2 10.20.10.0/24 10.20.10.50 0 A C ethernet1/1 10.20.10.50/32 0.0.0.0 0 A H 10.20.61.0/24 10.20.61.61 0 A C ethernet1/2 10.20.61.61/32 0.0.0.0 0 A H 10.60.0.0/24 0.0.0.0 10 A S tunnel.1 total routes shown: 7   Rule: I have permitall Zone:     Ubuntu side routing ubuntu@ip-10-20-61-81:~$ ip route default via 10.20.61.1 dev eth0 proto dhcp src 10.20.61.81 metric 100 10.20.61.0/24 dev eth0 proto kernel scope link src 10.20.61.81 10.20.61.1 dev eth0 proto dhcp scope link src 10.20.61.81 metric 100   ubuntu@ip-10-20-61-81:~$ sudo iptables -L -v -n Chain INPUT (policy ACCEPT 102 packets, 8410 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 95 packets, 8894 bytes) pkts bytes target prot opt in out source destination   ... View more

Ubuntu connected with PA firewall (AWS instance) trusted network can't ping untrusted network

by in General Topics
‎12-15-2020 11:09 PM
‎12-15-2020 11:09 PM
  My PA-VM is AWS EC2 instance using software version 10.0.2.  10.20.10/24 is VPC's public subnet, 10.20.61/24 is VPC's private subnet. Ubuntu10.20.61.81 can ping 10.20.61.61, but can't ping 10.20.10.0/24 network.  Ubuntu 10.60.0.100 can ping 10.20.61.61, but can't ping 10.20.61.81. I have allow 10.60.0.0/24 in the ubuntu10_20_61_81 Security Group. What do I miss for the configuration? ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎12-19-2020 02:49 PM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks