I am trying to POC a scenario for my customer in AWS with dual Palo Alto in HA within same availability zone. (We need to build a site to Site VPN tunnel from on-Premises to AWS Palo behind IGW)
I am facing a strange issue. I an not able to reach the outside Elastic IP address of Palo.(I am able to reach the public IP on Management interface). The ENI's are moving to the secondary on failover.
- I have deployed Palo Alto Primary FW and Secondary FW.
- All Security Groups are configured to permit all traffic. No NALC’s configured.
- Main VPC is 10.180.0.0/16
- There are 4 Subnets: Public 10.180.100.0/24, Management 10.180.110.0/24, Private 10.180.120.0/24 and HA 10.180.130.0/24
- There are 2 route tables - Public and Private
- 3 subnets (Public, Management and HA) are associated with Public Route Table and Private subnet is associated with Private RT.
- Internet Gateway is attached to VPC. Default route is configured in Public RT pointing to IGW. Communication from Public RT is up as the Test PC and Palo Management interface is able to reach internet.
- Palo Alto is configured with Static IP and static default route pointing to the first IP of Public subnet (10.180.100.1)
- Palo Configured with Security policy to permit all traffic.
- Palo management profile permits ping, ssh, https
- Elastic Public IP is attached to the Public and Management ENI’s. Palo Primary have 4 ENI's - Management (elastic IP), Public (elastic IP), HA and Private.
- Source/destination check is disabled on all ENI's
- HA configured and is syncing the configs with peer. Data plane Interface is moving to the Secondary Palo on failover.
- Management IP is reachable, test PC in public subnet is reachable, but Palo’s public IP is not. I re-created this lab at least 10 times now. The interesting thing is that, I was able to reach the external public IP of Palo yesterday but is not working after another rebuild.
Am I missing something here? Can any one help me resolve this issue?.
