Global Counters report "No Destination Zone From Forwarding"
16603
Created On 07/21/20 03:01 AM - Last Modified 10/26/21 03:30 AM
Symptom
- IPSec tunnel is configured between Palo Alto Firewalls
- Traffic is getting dropped
- Global counter (show counter global filter packet-filter yes delta yes) report drops traffic due to flow_policy_nofwd:
name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_policy_nofwd 3 0 drop flow session Session setup: no destination zone from forwarding
appid_ident_by_icmp 3 0 info appid pktproc Application identified by icmp type
--------------------------------------------------------------------------------
Note: A Packet filter s must be configured correctly when using "show counter global filter...." command
Environment
- IPsec tunnel on VM-series firewalls
- IPsec tunnel on NGFW hardware
- All versions of PAN-OS
Cause
- On the transmitting firewall, this happens when the source of the traffic is in a different virtual router than the tunnel interface itself.
- If the firewall is receiving tunnel traffic inbound, it fails for the same reason but reports a different drop type:
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 2 0 info packet pktproc Packets received
pkt_sent 3 0 info packet pktproc Packets transmitted
session_allocated 3 0 info session resource Sessions allocated
session_installed 3 0 info session resource Sessions installed
flow_fwd_l3_noroute 3 0 drop flow forward Packets dropped: no route
Resolution
The destination interface on the firewall should be placed in the same virtual router as the tunnel interface.