- 新しい順
- 投票が多い順
- コメントが多い順
I have a session schedule with the Firewall Support team. They are going to want to prove that the Next Hop IP address responds to pings. I have set-up an EC2 instance which is able to ping to my remote LAN without a problem, but it too can't ping the Inside IP address for the tunnel. Any idea how I can confirm that 169.254.x.x assigned to the VPN will respond to a ping?
All my testing can only conclude that the 169.254.x.x Inside IP's assigned by AWS no longer respond to pings.
At one time, they must have been pingable, and at some point they no longer are, as the set-up documentation provided currently when hitting "Download Configuration" which provides guidance on setting up the customer gateway device has a bunch of instructions to use the peer 169.254.x.x IP address for fail over detection. Specifically the documentation for Palo Alto firewalls
Whether this is Static Route Path Monitoring, Policy Based Forwarding, or Tunnel Monitoring, they all rely on the ability to ping the other Inside IP for connectivity detection.
I now know more about Routing, Firewall Config, and AWS VPC than I ever wanted to know.
Two options
- Re-establish the ability to ping the Internal IP so that the documentation provided works
- Update the documentation so not to mislead people and waste countless hours
Hoping someone smarter than me has a recommendation
The Next Hop logic in the FW uses the egress interface to generate the ping (which is a 169.254.x.x network). I don't expect that the private IP address inside the tunnel would be able to ping an IP address on my LAN without some routing
Can someone from AWS confirm whether or not the Inside IP address should be able to be Pinged by the other Inside IP Gateway on the other side of the connection?
This is pretty critical for Peer detection and adjustments to Static/Policy Based Routing automation...
I am not sure if anyone can see my post. I've been talking with myself..
Since I couldn't get Static Route based monitoring to work, I decided to try Dynamic BGP. I run into the same issue again.
In the AWS troubleshooting document "If the configuration settings are correct, then ping the remote BGP peer IP from your local BGP peer IP to verify the connectivity between BGP peers." per: https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-bgp-vpn/
I wasn't able to ping 169.254.x.x addresses before, so I don't know how this is supposed to work any better..
Is anyone able to help? Should I be able to ping 169.254.x.x internal IP's on the Gateways? So far I haven't been able to, and I wonder if AWS documentation is out of date..
Well. After a month of troubleshooting, I am finally able to get a ping response from the AWS gateway. Of course it was a local firewall issue.
For anyone else who runs into this, check your Zone Protection profile on Palo Alto.
PA has a zone policy which discards Link-Local IP's which must be disabled.
Ensure to disable Strict IP Address Check
関連するコンテンツ
- AWS公式更新しました 1年前