Post by Gowtham M
Palo Alto & Prisma Expert | Network Security Specialist | Security Delivery Team Lead | Creator of Troubleshooting Playbook & Interview Master Guide | DM me for Palo Alto Documents
š§šµš² ššš£ "š¢š»š²-šŖš®š š¦ššæš²š²š" š§šæš®š½ šššæš¶š»š“ š® š£š®š¹š¼ šš¹šš¼ š š¶š“šæš®šš¶š¼š» š A branch migration looked perfect on paper. ā IPsec Tunnel: UP ā BGP Session: ESTABLISHED ā Spoke ā Hub Traffic: Working But there was one problem... ā Hub ā Spoke Traffic: Completely Broken The spoke firewall was advertising its local networks, and "show routing protocol bgp rib-out" confirmed the routes were being sent. Yet the Hub firewall never learned a single prefix. š§šµš² šš¶š±š±š²š» ššš¹š½šæš¶š š During the migration, the new Palo Alto firewall was configured with Local-AS to maintain BGP adjacency using the legacy router's ASN. What many engineers don't realize is that, by default, Palo Alto may advertise routes with both: ā¢ The configured Local ASN ā¢ The firewall's actual System ASN When the Hub receives the route advertisement and detects its own ASN within the AS-Path, it assumes a routing loop and silently rejects the route. No BGP flaps. No alarms. No obvious errors. Just missing routes. š§šµš² šš¶š š ļø Modify the BGP Peer Local-AS behavior: Network ā Virtual Router ā BGP ā Peer Group ā Peer ā Local-AS Change the mode to: ā Replace-AS (Recommended) ā No-Prepend This ensures only the expected ASN is advertised, preventing AS-Path loop detection on the Hub. Within seconds, the Hub accepts the routes and full bidirectional communication is restored. šš²š šš²ššš¼š» š A BGP session being established does not guarantee route exchange. Always verify: ā Received Routes ā Advertised Routes ā AS-Path Attributes ā Local-AS Behavior Sometimes the tunnel is healthy, BGP is up, and the real problem is hiding inside the AS-Path. #PaloAltoNetworks #BGP #NetworkSecurity #Routing #FirewallMigration #IPSec #NetworkEngineering #PANW #Troubleshooting #DataCenter