VM-Series firewall behind AWS Gateway Load Balancer (GWLB) does not receive response packets

VM-Series firewall behind AWS Gateway Load Balancer (GWLB) does not receive response packets

7547
Created On 01/09/23 13:37 PM - Last Modified 04/22/24 07:09 AM


Symptom


  1. From the client's perspective, the request (e.g. ping or HTTP) fails.
  2. The server never receives the request.
  3. VM-series firewall packet capture only shows client request packets (e.g. ICMP request or TCP SYN), but no server response packets (e.g. ICMP response or TCP SYN-ACK).
  4. Source and destination MAC addresses are the same for both receive and transmit stages, whereas they should have been flipped around for the transmit stage. This is because the packets arrive into the vm-series firewall interface (e.g. ethernet1/1's MAC address as destination), are inspected by the firewall, and then transmitted out again via the same interface (e.g. ethernet1/1's MAC address as source) using Vwire.
aws-gwlb-ping-rx-no-response.PNGaws-gwlb-ping-tx-no-response.PNG
 
 

Environment


  • Amazon Web Services (AWS)
  • Consumer VPCs connected via Transit Gateway to a Security VPC
  • Security VPC contains multiple VM-series firewalls in different availability zones (AZ) behind a Gateway Load Balancer (GWLB)
  • Each availability zone in the Security VPC contains a Gateway Load Balancer Endpoint (GWLBE)
  • VM-series firewall with overlay routing enabled (PAN-OS versions 10.1.6-10.1.6-h3 and 10.2.1-10.2.2)

Cause


PAN-194776 - Intra-zone packets were re-encapsulated with the incorrect source/destination MAC address.

Resolution


  1. PAN-194776 is fixed in PAN-OS 10.1.7 and 10.2.3
  2. Upgrade to the fixed codes will resolve the issue.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kG89CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language