AWS VM-series - untrust interface - eating packets

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

AWS VM-series - untrust interface - eating packets

L2 Linker

Hi Guys,

 

I am working on inbound (from the internet) flow on the VM-series untrust interface directly.

 

Set up -

VM-series FW - 3 interface -- Mgmt , Untrust , Trust

 

Client -> Internet GW -> EIP -> Firewall untrust interface - eth1/1 - > (SNAT -  eth1/2 ; DNAT - Server private IP ) -> Server

 

In the monitor log, I can see the SNAT & DNAT taking place, traffic being allowed by Security rule.

 

But nothing is getting forwarded to the Server ... No packets are received on the server-side.

 

I have checked routes , 

default - 0.0.0.0/0 -- exit thru untrust -> IGW

private subnet - 10.x.x.x/24 -- thru Trust interface

 

Is this not bound to work with directly attaching EIP to untrust interface ?? The same set-up works fine , with an NLB (network load balancer) in front of VM-series fw (untrust interface)

 

Just to note - Already have opened TAC support case , with no luck -- too much of back and forth of info sharing , with zero constructive suggestions 😞

 

++ @jmeurer  -- Any suggestions??

 

9 REPLIES 9

L3 Networker

Hi @abhishah03,

 

sorry to hear that had no luck with our TAC team.

 

Your problem that you subscribes could have many reasons.

- Did you checked your Security Groups on all interfaces?

- Did you reviewed all route tables that the traffic get's forwarded correctly?

- Did you already asked AWS TAC if they can see the packets and could they explain you the reason why the packets didn't received the client host?

 

Regards,

Torsten  

"With unity we can do great things"

@tostern  -- Please find the answer inline -

 

- Did you checked your Security Groups on all interfaces? -- SG is set, properly -- Hence the packets are reaching the PA firewall & logs reflecting the same on (AWS flow logs, PA monitor logs)

- Did you reviewed all route tables that the traffic get's forwarded correctly? -- Routes is straight forward --- 2 routes on virtual router -- 

default - 0.0.0.0/0 -- exit thru untrust -> IGW

private subnet - 10.x.x.x/24 -- thru Trust interface -- 10.0.0.1

 

- Did you already asked AWS TAC if they can see the packets and could they explain to you the reason why the packets didn't receive the client host? -- Reason needs to be explained from PA I believe, the packets are reaching the firewall, but not exiting from there :(.

L3 Networker

@abhishah03 

 

so you can see that the packet is leaving the PAN FW but you didn't get any return traffic?

Did you checked the AWS route tables and are you sure you haven't any SG on the Server that can block the traffic?

 

Regards,

Torsten

"With unity we can do great things"

Nope , I can see the packet only entering PA FW ...

L3 Networker

@abhishah03 please send me a email tostern@paloaltonetworks.com then i want to have a deeper look into it. 

Afterwards we can share here the solution of the problem.

 

Regards,

Torsten

"With unity we can do great things"

I've just sent you email, with all the details. Pls check & suggest.

 

The interesting part is everything works fine with traffic ingress point changed to AWS NLB; rather than utilizing the EIP of untrust NIC.

L2 Linker

Make sure your SNAT rule is set with the original packet set to the untrust private IP and not the EIP.  AWS SNATs on the way in and firewall sees the packet after the EIP translation.  Also, ensure both interfaces are added to the VR.

 

Yup , that's already in place.

 

Using Private (untrust) IP in NAT; also both interfaces are added in VR.

 

 

L2 Linker

@abhishah03 what was the solution to your problem? Pls advise the steps so we can also benefit from it.

  • 5146 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!