Managed Firewall shows Disconnected on Panorama, after a route change on the default Gateway of Panorama

Managed Firewall shows Disconnected on Panorama, after a route change on the default Gateway of Panorama

22376
Created On 03/27/19 03:16 AM - Last Modified 05/20/20 02:01 AM


Symptom


  • Certain managed firewalls showing as disconnected on Panorama
  • This happened after a destination route change to the firewall, on the default gateway of the panorama.
  • The Default gateway has ICMP redirect enabled.



 

Environment


  • Panorama
  • All PAN-OS
  • Route change on default Gateway

Cause


Consider the below scenario:
  • Panorama is 10.1.1.250/24 and the default gateway(DG) is 10.1.1.1.
  • DG has a route to the managed firewalls through MPLS from either 10.1.1.2 or 10.1.1.3.

            User-added image
  • At a given point, let's say the preferred route is 10.1.1.2(router1), then the DG sends an ICMP redirect message to the panorama and is cached in the panorama.
  • The issue starts when the path through router1 is broken for the destination in question.
  • The panorama does not know about the route change and continues to send packets to router1, though the DG has a route change to 10.1.1.3(router2).
  • This is because Panorama has the route to destination cached due to ICMP redirect message from DG.
  • Panorama caches the icmp redirect message and does not clear it unless we restart the panorama.

Resolution


Clear the cached route entry using one of the following methods :
  • Restart the panorama.
  • Clear the ICMP route cache from root (Reach out to Support to perform this operation).
Best practise is to disable ICMP redirect on the DG and the DG will forward the packets to the appropriate route.
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000boSF&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail