Unable to reach specific destination/subnet within AWS
5029
Created On 03/18/20 02:41 AM - Last Modified 04/06/20 17:32 PM
Symptom
PA-VM is deployed within a VPC in AWS and traffic from host residing in directly connected subnet with default route as the firewall interface is unable to reach a destination IP.
- Log in to the firewall CLI and execute below CLI command:
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 6 0 info packet pktproc Packets received
flow_policy_nofwd 6 0 drop flow session Session setup: no destination zone from forwarding
--------------------------------------------------------------------------------
pkt_recv 6 0 info packet pktproc Packets received
flow_policy_nofwd 6 0 drop flow session Session setup: no destination zone from forwarding
- Above CLI output shows packets were dropped during session establishment as the destination zone was not found during forwarding lookup
- Verify if routes exist for the destination in question using below CLI:
show routing route destination 4.2.2.2/32
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
total routes shown: 0
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
total routes shown: 0
- Above CLI output confirms routes are not present for the destination.
- Verify if default route is present on the routing table using “show routing route”
Environment
- Platform: PA-VM
- PAN-OS / Plugin Version: 8.1.10 / -
- Deployment: AWS
Cause
- Route for the destination is missing on the RIB (Routing Information Base)
Resolution
- Configure a static route for the destination pointing towards the first IP of the AWS subnet in which the egress interface resides
- Alternatively, if default route itself is missing, either configure the default route as the first IP of the egress interface subnet or enable “Automatically create default route pointing to default gateway provided by server” option under Network > Interfaces > ethernet1/x > IPv4 to learn the default route from the egress subnet