FAQ-Why Is the Interface IP Address of the Root Firewall Unreachable Through a Virtual Firewall

Publication Date:  2015-07-02 Views:  355 Downloads:  0
Issue Description
As shown in the following figure, why does a ping test from address to address fail?

The Versatile Routing Platform (VRP) generates routes to multiple virtual firewalls, each of which has a route between the interface IP address and the firewall. Because these routes are identified by virtual firewalls, you cannot query root routes on vrf1 or configure routes to the firewall itself (that is, the next hop of the route is

When you ping from, you can find the outbound interface and next-hop address based on the configured route. can ping because the device at IP address exists. When the firewall ping from, you can find vrf1 route that is identical with the previous one. Therefore, the firewall sends ARP packets based on the outbound interface and next-hop address; however, no other device at is available. Therefore, cannot ping through

To ping the interface at from, add one route (destination IP address and next-hop address to vfw1; however, the next-hop address of the route cannot be set to Therefore, vfw1 cannot generate routes to the interface IP addresses of other virtual firewalls or root firewall.