- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-14-2021 01:29 AM - edited 08-23-2021 01:22 AM
Hello,
Hope I get some direction/solution here.
VM (10.9.8.4) can ping trusted interface (10.8.130.4) of PA but with packet loss!!! However, tracert 8.8.8.8 does not show the trusted interface as next hop....request timed out. Cannot go to the Internet.
All NSG set to allowed. PA has the most basic config at this stage with Allow All Policy.
Tried to bypass asymmetric routing. Show counter global filter did not show any drop packets.
Would appreciate if anyone can help in solving this puzzle.
08-14-2021 08:49 AM
Hello,
Personally I would set up a packet capture at the receive, transmit and drop stages, then check:
1) Does the firewall transmit the request (assuming yes)
2) Does the firewall receive the response from 8.8.8.8
3) If it does, does it transmit this to the client
You can check the drop capture for any drops, although if the counters are clean you shouldn't be seeing anything there.
Also, open the detailed log view (that magnifying glass at the left-most side of the traffic log) to check NAT was performed and if the NAT IP/interface make sense.
- DM
08-14-2021 10:16 PM - edited 08-23-2021 01:20 AM
Hi @dmifsud
Thank you for your response.
1) Does the firewall transmit the request >YES
2) Does the firewall receive the response from 8.8.8.8>NO
3) If it does, does it transmit this to the client>There is nothing in between FW and VM
4) No drop seen in global counter. I have turned off DPDK setting.
> show counter global filter packet-filter yes delta yes
Global counters:
Elapsed time since last sampling: 7.5 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_sent 1 0 info packet pktproc Packets transmitted
session_allocated 3 0 info session resource Sessions allocated
session_installed 3 0 info session resource Sessions installed
flow_ip_cksm_sw_validation 3 0 info flow pktproc Packets for which IP checksum validation was done in software
appid_ident_by_icmp 3 0 info appid pktproc Application identified by icmp type
nat_dynamic_port_xlat 3 0 info nat resource The total number of dynamic_ip_port NAT translate called
dfa_sw 3 0 info dfa pktproc The total number of dfa match using software
ctd_pscan_sw 3 0 info ctd pktproc The total usage of software for pscan
ctd_process 3 0 info ctd pktproc session processed by ctd
ctd_pkt_slowpath 3 0 info ctd pktproc Packets processed by slowpath
--------------------------------------------------------------------------------
5) NAT seems fine as configured.
Waiting for your response.
08-15-2021 06:31 PM
Hi @dmifsud
I am checking on the Azure side.
Just wanted to ask if you have come across this issue below.
1) tracert is failing. It should show the trusted interface of PA as next hop
>tracert 8.8.8.8
Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
2) Same route settings is used for Hub machines and they can access the Internet. Effective routes in Azure is showing the correct path.
The only difference is Spoke VM is on the other side of VNET peering.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!