Consul and Palo Alto Firewall

We are setting up a consul cluster in a public cloud but we are required to have multiple networks. So our Palo Alto Firewall connects the networks together. The hub network has the consul servers, however any instances created in a spoke network initially connects to the consul servers, then loses connection and has a tcp timeout. The ports are all open on the instances, firewall, network, etc and because of the initial connection we know that the firewall isn’t blocking the port.
Does anyone know why a firewall would block the traffic on 8300-8302 (TCP/UDP?) We can have it connect if we directly peer the networks via the public cloud methods but we have to have the traffic go through the firewall for security/compliance reasons.

Summary:
Consul can connect across peered networks
Consul briefly connects then loses connection when connected across a Palo Alto VM-Series instance.

We solved the issue. Jumbo frames weren’t enabled for our network. It seems consul was using the max MTU and the firewall was breaking it apart.

2 Likes

Hi @twmcelroy,

Thank you so much for your post, as well as the resolution! I hope this helps others out there who run into this same issue :slight_smile:

Best,
Jono