02-11-2020 08:35 AM
Hello, currently doing a POC for Transit VPC setup in AWS with VM-Series firewalls and noticed that default route is not propagated on subscriber VPC routing tables. All the other subnets are propagating. Followed https://www.paloaltonetworks.com/resources/guides/aws-transit-vpc-model-deployment-guide as is but I'm using PAN-OS 9.1 and in the guide they have used 8.1.4. Any idea what could I have been missing?
show routing protocol bgp rib-out command doesn't show the default (0.0.0.0/0) either.
02-11-2020 10:11 PM
I labbed it with a single firewall running 9.1 and the 0/0 exported to the VPC route table as expected. Please post screenshots of your VR BGP settings and AWS route table for review.
Where is your 0/0 route configured in your firewall? Do you have a static to the first IP in the subnet or do you have DHCP configured to Automatically create the default route?
02-11-2020 08:45 AM
There is an additional step necessary to export the 0/0 route. Please have a look at this article.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltUCAS
02-11-2020 10:07 AM
Do you have an existing 0/0 static in the VPC route table? We will not override that route.
02-11-2020 12:12 PM
@jmeurer Show routing protocol bgp rib-out doesn't even show 0/0 default route. Pan-os 9.1 has additional setting which I'm missing. I have deployed similiar setup with 8.1.4 (later upgraded to 9.0.6) and it works as expected.
02-11-2020 05:23 PM
at this point, it might be good to get a TAC case open. I have not tried Transit VPC with 9.1.
I would be curious, if you add a static route in the vpc pointing to the vgw, does the traffic flow?
02-11-2020 05:26 PM - edited 02-11-2020 06:21 PM
@jmeurer Transit VPC is community supported not TAC supported.
For additional clarification:
As this is related to route propagation with the VM-Series firewall it would be TAC supported for assistance within the PA-VM.
Issues related to deployment and automation for transit Arch would open issue in github.
For assistance open issue in github.
https://github.com/PaloAltoNetworks/aws-transit-vpc
02-11-2020 10:11 PM
I labbed it with a single firewall running 9.1 and the 0/0 exported to the VPC route table as expected. Please post screenshots of your VR BGP settings and AWS route table for review.
Where is your 0/0 route configured in your firewall? Do you have a static to the first IP in the subnet or do you have DHCP configured to Automatically create the default route?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
