cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
238
Views
0
Helpful
1
Replies

Few subnet not reaching to L3OUT i.e firewall

Nitesh_A
Level 1
Level 1

Hi All,

This is not a new setup but currently we are doing migration of one of our L3OUT firewall. Old one is cisco ASA and we are migrating to Palo Alto Firewall. Post migration couple of our subnet which is supposed to be advertised externally is not happening. Between PA firewall and leaf Node we have OSPF running and OSPF neighborship is established. We have issue with only 2 subnets. 

I have checked below thing:

1. Though this is not a new setup and issue with 2 subnet, still i checked BGP and Route Reflector config which shows good.

2.In subnet section under BD, Scope is set to "Advertise Externally" and i see L3OUT is present under "Associated L3OUT".  Unicast Routing is enabled. L2 Unknown Unicast- Hardware proxy

3. I have contract in place associated to EPG as well as L3OUT

Someone please advice.

Thankyou

1 Reply 1

AshSe
Level 3
Level 3

Hey Nitesh, 

Here are some steps and considerations to help you troubleshoot the issue with the two subnets not being advertised externally after migrating to the Palo Alto Firewall:

Issue: Subnets Not Being Advertised Externally Post Firewall Migration

Details:

  1. Old Firewall: Cisco ASA
  2. New Firewall: Palo Alto Firewall
  3. Routing Protocol: OSPF between Palo Alto Firewall and Leaf Node
  4. Symptoms: Two specific subnets are not being advertised externally.

Troubleshooting Steps:

  1. Verify OSPF Configuration:

    • Ensure that the OSPF configuration on the Palo Alto Firewall is correct and matches the configuration on the leaf node.
    • Check OSPF area types and ensure that the subnets in question are included in the OSPF advertisements.
    • Verify that OSPF is not filtering these subnets. Check for any route filters or prefix lists that might be preventing these subnets from being advertised.
  2. Check OSPF Route Redistribution:

    • Ensure that the subnets are being correctly redistributed into OSPF on the Palo Alto Firewall.
    • Verify the redistribution policies on both the Palo Alto Firewall and the leaf node to ensure that the subnets are being advertised as expected.
  3. Inspect Palo Alto Firewall Policies:

    • Check the Palo Alto Firewall's security and NAT policies to ensure that there are no rules inadvertently blocking or affecting the advertisement of these subnets.
    • Ensure that the firewall is not performing any route filtering that could prevent these subnets from being advertised.
  4. Review ACI Configuration:

    • Double-check the Bridge Domain (BD) configuration to ensure that the subnets are correctly associated with the L3OUT.
    • Verify that the "Advertise Externally" scope is correctly set for these subnets and that unicast routing is enabled.
    • Ensure that the L3OUT configuration is correct and that there are no misconfigurations that could affect the advertisement of these subnets.
  5. Check Contracts and EPGs:

    • Ensure that the contracts associated with the EPGs and L3OUT are correctly configured and that there are no issues with the contract rules that could affect the advertisement of these subnets.
    • Verify that the EPGs are correctly associated with the subnets and that there are no misconfigurations in the EPG settings.
  6. Inspect Route Reflector Configuration:

    • Although you mentioned that the BGP and Route Reflector configuration looks good, double-check to ensure that there are no issues with the route reflectors that could affect the advertisement of these specific subnets.
    • Verify that the route reflectors are correctly reflecting the routes for these subnets.
  7. Check Palo Alto Firewall Logs:

    • Review the Palo Alto Firewall logs to see if there are any errors or warnings related to OSPF or route advertisements.
    • Look for any indications that the subnets are being filtered or blocked by the firewall.
  8. Perform Route Tracing:

    • Use tools like traceroute or ping to trace the path of the traffic for these subnets and identify where the advertisement might be failing.
    • Check the routing tables on both the Palo Alto Firewall and the leaf node to ensure that the routes for these subnets are present and correct.

Next Steps:

  1. Verify OSPF and Redistribution:

    • Ensure that the OSPF configuration and route redistribution policies are correct on both the Palo Alto Firewall and the leaf node.
  2. Review Firewall Policies:

    • Check the Palo Alto Firewall's security and NAT policies to ensure that there are no rules affecting the advertisement of these subnets.
  3. Double-Check ACI Configuration:

    • Confirm that the BD, L3OUT, and EPG configurations are correct and that there are no misconfigurations affecting these subnets.
  4. Inspect Logs and Perform Tracing:

    • Review the firewall logs and perform route tracing to identify where the advertisement might be failing.
  5. Engage Vendor Support:

    • If the issue persists, consider reaching out to Palo Alto Networks and Cisco support for further assistance. Provide them with detailed logs and configuration information to expedite the troubleshooting process.

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License