PA-VM network setting in VirtualBox?

[prenatip]

Here is my basic network topology.

1. Linux Client (PC01)
2. Palo Alto Firewall (PA-VM)

Both configured with 2 interfaces enabled in VirtualBox

Adapter 1: Host-only. This is for out of band management interface
Adapter 2: Internal Network. This is for actual communication between PC01 and PA-VM.

I have no issue at all with Adapter 1 setting. It's working as expected.

Code: Select all

user@PC01:~$ ifconfig | grep ad | grep -v 127
eth0      Link encap:Ethernet  HWaddr AA:AA:AA:AA:AA:A1 
          inet addr:192.168.56.110  Bcast:192.168.56.255  Mask:255.255.255.0
eth1      Link encap:Ethernet  HWaddr AA:AA:AA:AA:AA:A2
          inet addr:10.1.1.110  Bcast:10.1.1.255  Mask:255.255.255.0
user@PC01:~$ 

Ping using Adapter 1

Code: Select all

user@PC01:~$ ping -c 3 192.168.56.254
PING 192.168.56.254 (192.168.56.254): 56 data bytes
64 bytes from 192.168.56.254: seq=0 ttl=64 time=0.770 ms
64 bytes from 192.168.56.254: seq=1 ttl=64 time=0.554 ms
64 bytes from 192.168.56.254: seq=2 ttl=64 time=0.855 ms

--- 192.168.56.254 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.554/0.726/0.855 ms
user@PC01:~$ 

Ping using Adapter 2

Code: Select all

user@PC01:~$ ping -c 3 10.1.1.254    
PING 10.1.1.254 (10.1.1.254): 56 data bytes

--- 10.1.1.254 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
user@PC01:~$ 

tcpdump from Adapter 2 test

tcpdump output from PC01 shows that vm firewall is completely unreachable even though they're (supposed to) connected back to back in the same network segment.

Code: Select all

user@PC01:~$ sudo tcpdump -i any net 10.1.1 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
21:49:38.979460 ARP, Request who-has 10.1.1.254 tell 10.1.1.110, length 28
21:49:39.981377 ARP, Request who-has 10.1.1.254 tell 10.1.1.110, length 28
21:49:40.985748 IP 10.1.1.110 > 10.1.1.110: ICMP host 10.1.1.254 unreachable, length 92
21:49:40.985763 IP 10.1.1.110 > 10.1.1.110: ICMP host 10.1.1.254 unreachable, length 92
21:49:40.985766 IP 10.1.1.110 > 10.1.1.110: ICMP host 10.1.1.254 unreachable, length 92

Incomplete ARP on eth1 shows the packet actually doesn't reach to PA-VM at all

Code: Select all

user@PC01:~$ arp -i eth1
? (10.1.1.254) at <incomplete>  on eth1
user@PC01:~$ 

I also notice that MAC Address on PA-VM (ethernet1/1 = zz:zz:zz:zz:zz:z1) doesn't match with what I have on ARP table PC01 (incomplete). The one that I set on VirtualBox was AA:AA:AA:AA:AA:A2, not ZZ:ZZ:ZZ:ZZ:ZZ:Z1.

Code: Select all

admin@PA-VM> show interface all 

total configured hardware interfaces: 1

name                    id    speed/duplex/state        mac address       
--------------------------------------------------------------------------------
ethernet1/1             16    1000/full/up              zz:zz:zz:zz:zz:z1 

aggregation groups: 0


total configured logical interfaces: 1

name                id    vsys zone             forwarding               tag    address           
                              
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1         16    1                     N/A                      0      10.1.1.254/32     

admin@PA-VM> 

This explains why I cannot ping using secondary interface (Adapter 2) at all. Seems like there is Layer 1 issue problem.

For the record, I was able to use the same VirtualBox setting on 2 Linux guests. May I know why the same setting doesn't work on PA-VM? Any idea how to make Layer 1 communication successful in VirtualBox?

This is the screenshot of my VirtualBox network setting.

I'll post the screenshot tomorrow as I've just joined this forum.

You must be a member for 1 days and have 1 posts before you can post urls.