Forum Discussion

dkjones21's avatar
dkjones21
Icon for Nimbostratus rankNimbostratus
Feb 28, 2023

Big-IQ Network Issues

Weird issue

Our networking team migrated our Palo Alto FW out of the datacenter, but kept the configurations/rules/etc the same.  However, after the migration we have been seeing wierd network issues.

Environment:  F5 BIg-IQ  HA Pair.   Inline so all servers/services using the F5 use it as a gateway on a private IP address.  All services use SNAT.

For external public subnets, the Palo Alto is their gateways.

After the move we can initiate and establish sessions with servers behind the F5.  Services and servers access is normal and we can use them as adverstised.  However, some servers require a external authentication system (CAS) and the server behind the F5 cannot initate a connection to that server.  During troubleshooting, we realized that the servers could not ping the gateway.   Our networking team sees route neighboring between F5, HP Switch and Palo Alto.   We can ping and access http between systems on the private subnet, so it is not an issue with the servers. 

Also we have not made any changes to the F5 days prior to the FW Migration, and the only change since is to reboot the F5 HA pair.

Any suggestions on where to start looking in the F5 to see what may be causing the problem.

2 Replies

  • dkjones21 On the F5 that is active in the HA pair I would run the following tcpdump.

    tcpdump -nni 0.0:nnp host <destination_IP> and port <destination_port>

    Once the traffic leaves the F5 and goes directly to the Palo Alto I would perform a capture on it to ensure your traffic is indeed making it for the specific destination in question. If another gateway sits between you and the Palo Alto I would run a capture on it as well to validate the traffic is moving on its way to the Palo Alto. You are essentially doing this to ensure that each device in the path is passing the communication on correctly to the destination so you can figure out what is dropping it.

  • Hi dkjones21 ,

    The first step is to validate the correct communication with the external authentication system (CAS), normally routers block ping but you can try with telnet to the URL of the CAS service, if this doesn´t work, request to firewall team to review if the traffic to this URL is blocked.

    Additionally, you probably have to add a route to reach the firewall if you don´t have it configured yet.

    Hope it´s work.