Forwarding fails for specific traffic that matches a PBF rule w... - Knowledge Base - Palo Alto Networks

Forwarding fails for specific traffic that matches a PBF rule with symmetric return

32878

Created On 09/26/18 20:46 PM - Last Modified 03/19/21 01:21 AM

Policy Based Forwarding

Policy

PAN-OS

Symptom

Symptoms

When Policy-Based Forwarding (PBF) is configured with the "Enforce Symmetric Return" option enabled, but without a Next Hop Address, forwarding may fail.

Diagnosis

When the issue occurs, you can see the return mac entries have reached their maximum level when you run the show pbf return-mac all command.

user@firewall> show pbf return-mac all

current pbf configuation version:   1
total return nexthop addresses :    0

index   pbf id  ver  hw address          ip address
                     return mac          egress port
--------------------------------------------------------------------------------

maximum of ipv4 return mac entries supported :     1000
total ipv4 return mac entries in table :           1000
total ipv4 return mac entries shown :              1000
status: s - static, c - complete, e - expiring, i - incomplete

pbf rule        id   ip address      hw address        port         status   ttl
--------------------------------------------------------------------------------

Note: The maximum number of entries that this ARP table supports is limited by the firewall model and the value is not user-configurable. To determine the limit for your model, use the CLI command: show pbf return-mac all.

Environment

Palo Alto Firewall.
Any PAN-OS.
Policy Based Forwarding.

Resolution

This issue will only occur if the 'Next-Hop Address' is not set in a PBF rule that does have symmetric return enabled. Configure a valid peer IP address in the Next Hop Address list to avoid running into the issue. This can be done using GUI: Policies > Policy Based Forwarding > select the pbf rule > Forwarding > Add

Setting the Next Hop Address ensures only the appropriate return mac addresses are learned for Symmetric Return

>show pbf return-mac all

maximum of ipv4 return mac entries supported : 16000
total ipv4 return mac entries in table : 12800
total ipv4 return mac entries shown : 12800
status: s - static, c - complete, e - expiring, i - incomplete
pbf rule id ip address hw address port status ttl
--------------------------------------------------------------------------------
symmectric 1 8.0.0.2 00:1b:17:05:f1:17 ethernet1/1 c 737
symmectric 1 8.0.0.3 00:1b:17:05:f1:17 ethernet1/1 c 742
symmectric 1 8.0.0.4 00:1b:17:05:f1:17 ethernet1/1 c 741
symmectric 1 8.0.0.5 00:1b:17:05:f1:17 ethernet1/1 c 743
symmectric 1 8.0.0.6 00:1b:17:05:f1:17 ethernet1/1 c 746
symmectric 1 8.0.0.7 00:1b:17:05:f1:17 ethernet1/1 c 743
symmectric 1 8.0.0.8 00:1b:17:05:f1:17 ethernet1/1 c 742
symmectric 1 8.0.0.9 00:1b:17:05:f1:17 ethernet1/1 c 741
symmectric 1 8.0.0.10 00:1b:17:05:f1:17 ethernet1/1 c 745
symmectric 1 8.0.0.11 00:1b:17:05:f1:17 ethernet1/1 c 746

Additional Information

How to Configure Symmetric Return

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)