I've been on the phone with support for the last few days and I am having the EXACT same issue. Same panos and anyconnect version. I think it has something to do with the regex setting looking at the first ip which should be public but I'm not sure. I wish I knew regex better. Someone PLEASE HELP!
... View more
I have been successful in deploying this type of setup and communicating between secondary vlans that were associated with different primaries. What girvin is talking about is something I was trying to accomplish as well and was unsuccessful. I wanted to have 2 secondary vlans associated to the same primary and regulate communication between the two. The issue seems to be something to how the Palo Alto responds to proxy arp or lack thereof. My setup was like this: Cisco Nexus: interface e1/1 promiscuous trunk with correct mappings PAN: int e1/1 (tried with aggregate ethernet as well) > layer 2 > associate to a vlan I called vlan-bridge int e1/1.100 > layer 2 > Tag 100 > vlan vlan.100 --> vlan.100 was then assigned an IP address. Now that I think about it, the physical and subinterfaces were in the same security zone. I ran out of time and had to go a different route. I wonder if having them in different security zones would be the issue? If anyone out there has some insight, please share.
... View more