About seb_rupik

Hi there, The fact you can ping in one direction proves, as you say, that the VPN is working, but also the routing between those subnets. Since the initialisation of the traffic flow is only working in one direction suggests this may be a security policy issue.  Can you confirm that inter-zone policy between the VPN and 'inside' zone exists. Also check there is an equivalent NSG in Azure on the VNET is you have it implemented.   cheers, Seb. ... View more

Hi there, I don't believe having the root-bridge for VLAN10 else where is causing your problem. I was just trying to picture your topology. I you could share the debug output during a failover event, that would be a great next step.   cheers, Seb. ... View more

Hi there,  Thanks for the output. Can I assume that Gi1/0/4 connects to the other firewall in the cluster? What it connected to Gi1/0/1 ? Why is that the root-bridge for VLAN10 ? It would be interesting to run debug spanning-tree event on the switch during a firewall failover to see what the switch thinks is happening?  I don't think you've given the detail, but is this a 'U' shape deployment, with each firewall in the cluster connected to a different switch and a cross link between the switches? The switches are logically separate?   cheers, Seb. ... View more

Hi there, If the firewall HA Passive link state set to auto? This should set the link state to UP for the passive firewall. The switchport on the other end should be in a Forwarding state if PortFast has been enabled. Were you able to gather the switch output requested before?   cheers, Seb. ... View more

Hi there, Which virtual router is Eth1/4 a member of? From your description it sounds like you have three virtual routers, default(?), Private and PrivateDMZ. Have you configured routing between them? Have you configured security policies to allow the required traffic between the VRs?   cheers, Seb. ... View more

Hi there, For that desired setup to work, each IP interface must have a /16 netmask, but that is not possible when they share the same routing table. Also, how would a local host simultaneously communicate with hosts on-link and in another VLAN which shares the same /16 subnet. The best you could hope for is to configure a 1:1 static NAT where let say: VLAN901 172.27.0.0/16 is NAT'd using a source pool of 172.60.0.0/16 VLAN901 172.27.0.0/16 is NAT'd using a source pool of 172.61.0.0/16 ..etc...   You would then advertise the NAT pools between the VRs, but again as you point out, you only have 10 VRs to use. Can you get hold of another PA and perhaps route these NAT pools between them?   cheers, Seb. ... View more

Hi there, All of VLANs share the same /16 IP address space, but you have configured the VLAN interface as a /30. The interface will not ARP for addresses outside of its /30 . Does this setup actually work on a per-VLAN basis??  Upon reading the question I was going to point out that you can't create multiple VLAN interfaces which exist within the same /16 subnet. You could share the same /16 allocation and carve it (multiple /21's) up between the interfaces, but this would require the connected hosts to have their netmasks and gateway address configured. But would allow the host to share the same classful /16 address.   The only other solution is to use multiple virtual routers (VRs), as this will allow you to have identical IP interfaces on the device. You would need to configure unique loopback interface within each VR and advertise that /32 address between the VRs. Then configure source NAT for the /16 hiding it behind the local /32. The only problem with this solution is the platform limitation for the number of configurable VRs   cheers, Seb. ... View more

Hi there, Once you configure a Layer2 sub-interface you are creating a trunk link and 802.1q will be enabled, using the 'tag' value as the VLAN ID on the encapsulated frame.  An access port if you think about doesn't really need a VLAN tag, as it is never imposed on the frame, they arrive and leave untagged.  The VLAN tag/ ID is there purely to identify which virtual-bridge the frames belong to.   The object created under Network -> Interfaces -> VLAN is not a subinterface. I see you confusion as it prepends a digit to the interface name. The interface here is a SVI/ IRB . If you have configured your firewall interfaces all as Layer2, then yes you will need these for inter-VLAN routing. You can have a mix of routed Layer 3 interfaces (dedicated or subinterface) and VLAN interfaces for inter-VLAN routing, depending on your topology.   cheers, Seb. ... View more

Hi @dgsans , That time window sounds eerily close to the STP forward delay timer. Can you share the output from both switches of: show interface <firewall_uplink> switchport show spanning-tree vlan <firewall_trunk_vlans>   cheers, Seb. ... View more

Hi there, Unless you intend to rollback to the base image, it is safe to delete. It is good practice to retain the software images which would allow you to rollback after an upgrade, but after several months on a new version with sufficient testing it would be safe to delete it if you were having disk capacity issues.   cheers, Seb. ... View more