Forwarding fails for specific traffic that matches a PBF rule with symmetric return

Forwarding fails for specific traffic that matches a PBF rule with symmetric return

25746
Created On 09/26/18 20:46 PM - Last Modified 03/19/21 01:21 AM


Symptom


Symptoms

When Policy-Based Forwarding (PBF) is configured with the "Enforce Symmetric Return" option enabled, but without a Next Hop Address, forwarding may fail.

 

Diagnosis

When the issue occurs, you can see the return mac entries have reached their maximum level when you run the show pbf return-mac all command.

user@firewall> show pbf return-mac all

current pbf configuation version:   1
total return nexthop addresses :    0

index   pbf id  ver  hw address          ip address
                     return mac          egress port
--------------------------------------------------------------------------------

maximum of ipv4 return mac entries supported :     1000
total ipv4 return mac entries in table :           1000
total ipv4 return mac entries shown :              1000
status: s - static, c - complete, e - expiring, i - incomplete

pbf rule        id   ip address      hw address        port         status   ttl
--------------------------------------------------------------------------------
 

Note: The maximum number of entries that this ARP table supports is limited by the firewall model and the value is not user-configurable. To determine the limit for your model, use the CLI command: show pbf return-mac all.

Environment


  • Palo Alto Firewall.
  • Any PAN-OS. 
  • Policy Based Forwarding.

Resolution


This issue will only occur if the 'Next-Hop Address' is not set in a PBF rule that does have symmetric return enabled. Configure a valid peer IP address in the Next Hop Address list to avoid running into the issue. This can be done using GUI: Policies > Policy Based Forwarding > select the pbf rule > Forwarding > Add

NextHopAddress.jpg


Setting the Next Hop Address ensures only the appropriate return mac addresses are learned for Symmetric Return

>show pbf return-mac all

maximum of ipv4 return mac entries supported : 16000
total ipv4 return mac entries in table : 12800
total ipv4 return mac entries shown : 12800
status: s - static, c - complete, e - expiring, i - incomplete
pbf rule id ip address hw address port status ttl
--------------------------------------------------------------------------------
symmectric 1 8.0.0.2 00:1b:17:05:f1:17 ethernet1/1 c 737
symmectric 1 8.0.0.3 00:1b:17:05:f1:17 ethernet1/1 c 742
symmectric 1 8.0.0.4 00:1b:17:05:f1:17 ethernet1/1 c 741
symmectric 1 8.0.0.5 00:1b:17:05:f1:17 ethernet1/1 c 743
symmectric 1 8.0.0.6 00:1b:17:05:f1:17 ethernet1/1 c 746
symmectric 1 8.0.0.7 00:1b:17:05:f1:17 ethernet1/1 c 743
symmectric 1 8.0.0.8 00:1b:17:05:f1:17 ethernet1/1 c 742
symmectric 1 8.0.0.9 00:1b:17:05:f1:17 ethernet1/1 c 741
symmectric 1 8.0.0.10 00:1b:17:05:f1:17 ethernet1/1 c 745
symmectric 1 8.0.0.11 00:1b:17:05:f1:17 ethernet1/1 c 746

 

Additional Information


How to Configure Symmetric Return
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5gCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language