Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Default route is not distributed to subscriber VPC - Bgp/Dynamic routing

L1 Bithead

Hello, currently doing a POC for Transit  VPC setup in AWS with VM-Series firewalls and noticed that default route is not propagated on subscriber VPC routing tables. All the other subnets are propagating. Followed https://www.paloaltonetworks.com/resources/guides/aws-transit-vpc-model-deployment-guide as is but I'm using PAN-OS 9.1 and in the guide they have used 8.1.4. Any idea what could I have been missing?


show routing protocol bgp rib-out  command doesn't show the default (0.0.0.0/0) either.

 

1 accepted solution

Accepted Solutions

I labbed it with a single firewall running 9.1 and the 0/0 exported to the VPC route table as expected.  Please post screenshots of your VR BGP settings and AWS route table for review.

 

Where is your 0/0 route configured in your firewall?  Do you have a static to the first IP in the subnet or do you have DHCP configured to Automatically create the default route?

View solution in original post

7 REPLIES 7

L4 Transporter

There is an additional step necessary to export the 0/0 route.  Please have a look at this article.  

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltUCAS

Spoiler
 

@jmeurer  Just tried that and it didn't work.It removed more specific routes which were propagated before.

Do you have an existing 0/0 static in the VPC route table?  We will not override that route.

@jmeurer Show routing protocol bgp rib-out doesn't even show 0/0 default route. Pan-os 9.1 has additional setting which I'm missing. I have deployed similiar setup with 8.1.4 (later upgraded to 9.0.6) and it works as expected.

at this point, it might be good to get a TAC case open.  I have not tried Transit VPC with 9.1.  

I would be curious, if you add a static route in the vpc pointing to the vgw, does the traffic flow?

@jmeurer Transit VPC is community supported not TAC supported.

 

For additional clarification:

As this is related to route propagation with the VM-Series firewall it would be TAC supported for assistance within the PA-VM. 

 

Issues related to deployment and automation for transit Arch would open issue in github.

For assistance open issue in github.

https://github.com/PaloAltoNetworks/aws-transit-vpc

 

 

 

I labbed it with a single firewall running 9.1 and the 0/0 exported to the VPC route table as expected.  Please post screenshots of your VR BGP settings and AWS route table for review.

 

Where is your 0/0 route configured in your firewall?  Do you have a static to the first IP in the subnet or do you have DHCP configured to Automatically create the default route?

  • 1 accepted solution
  • 7358 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!