Path Monitoring Never Recovers With Strict IP Address Check - Knowledge Base - Palo Alto Networks

Path Monitoring Never Recovers With Strict IP Address Check

16848

Created On 06/18/20 04:40 AM - Last Modified 09/15/20 03:08 AM

Static Routes

Zone Protection

Network Integration

Zone and DoS Protection

Service Connections

Hardware

PAN-OS

VM-Series

Symptom

Firewall is dual homed to two ISPs with path monitoring over the primary link:

GUI: Network --> Virtual Routers --> More Runtime Stats:

Network --> Virtual Router --> Static Routes:

Each ISP interface has a Zone Protection profile with 'Strict IP Address Check'

Network --> Zones:

Network --> Zone Protection --> Packet Based Attack Protection:

Primary path fails and is deleted/removed; while the secondary path is flagged as 'Active' and installed in the FIB:

Monitor --> System:

Network --> Virtual Router --> Static Routes:

Service is restored on the primary link but the primary link never preempts or takes over after the 'Preemptive Hold Time' expires. The RIB does not even get updated and continues to use the secondary link for routing.

Environment

Any PAN-OS
Palo Alto Firewall.
Path-monitoring is configured for redundancy/failure scenarios.
Zone Protection is in use on both zones with Strict IP Address Check enabled

Cause

Global counter on the filter for the path-monitored source/destination IP indicates that the monitored traffic is being dropped with a reason: Packets dropped: Zone protection option 'strict-ip-check.'

admin@PA-VM> debug dataplane packet-diag show setting

--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
  Enabled:                   yes
  Match pre-parsed packet:   no
  Index 1: 10.0.0.1/32[0]->8.8.8.8/32[0], proto 0
           ingress-interface any, egress-interface any, exclude non-IP
  Index 2: 8.8.8.8/32[0]->10.0.0.1/32[0], proto 0
           ingress-interface any, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------

admin@PA-VM> show counter global filter packet-filter yes delta yes

Global counters:
Elapsed time since last sampling: 231.955 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
pkt_recv                                   3        0 info      packet    pktproc   Packets received
flow_dos_pf_strictip                      63        0 drop      flow      dos       Packets dropped: Zone protection option 'strict-ip-check'
flow_tunnel_decap_err                     63        0 drop      flow      tunnel    Packet dropped: tunnel decapsulation error
flow_tunnel_ipsec_esp_encap               77        0 info      flow      tunnel    Packet encapped: IPSec ESP
flow_tunnel_encap_resolve                 77        0 info      flow      tunnel    tunnel structure lookup resolve
--------------------------------------------------------------------------------
Total counters shown: 5
--------------------------------------------------------------------------------

Resolution

Disable 'Strict IP Address Check' in the Zone Protection Profile; or
Place the primary and secondary links in two separate virtual routers

Either of these solutions should result in path recovery with the primary path installed as 'Active' route:

Monitor --> System:

Network --> Virtual Router --> More Runtime Stats:

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)